Network Security, Vulnerability Management

Deflating news: Bouncy Castle BKS-V1 keystore files not adequately protected


The BKS version 1 keystore files for Bouncy Castle, a collection of cryptographic APIs for C# and Java applications, reportedly contain a weak hash-based message authentication code (HMAC) that can be cracked by hackers in seconds using hash collision attacks.

In a vulnerability advisory published today, the CERT Coordination Center (CERT/CC) at Carnegie Mellon University's Software Engineering Institute reports that the Bouncy Castle code for version 1 BKS files uses only 16 bits for the MAC key size instead of the recommended 160 bits. BKS is a format for keystore repositories that contain various security certificates.

“This means that regardless of password complexity, a BKS version 1 file can only have 65,536 different encryption keys. A valid password for a keystore can be brute forced by attempting each of these key values, which can take only seconds,” the advisory explains.

BKS-VA files that were created with Bouncy castle 1.46 or earlier or 1.49 or later are susceptible to cracking; therefore, users are advised not to rely on version 1 BKS keystore files. The vulnerability was discovered by Will Dormann of the CERT/CC.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.