Network Security, Vulnerability Management

Deflating news: Bouncy Castle BKS-V1 keystore files not adequately protected

The BKS version 1 keystore files for Bouncy Castle, a collection of cryptographic APIs for C# and Java applications, reportedly contain a weak hash-based message authentication code (HMAC) that can be cracked by hackers in seconds using hash collision attacks.

In a vulnerability advisory published today, the CERT Coordination Center (CERT/CC) at Carnegie Mellon University's Software Engineering Institute reports that the Bouncy Castle code for version 1 BKS files uses only 16 bits for the MAC key size instead of the recommended 160 bits. BKS is a format for keystore repositories that contain various security certificates.

“This means that regardless of password complexity, a BKS version 1 file can only have 65,536 different encryption keys. A valid password for a keystore can be brute forced by attempting each of these key values, which can take only seconds,” the advisory explains.

BKS-VA files that were created with Bouncy castle 1.46 or earlier or 1.49 or later are susceptible to cracking; therefore, users are advised not to rely on version 1 BKS keystore files. The vulnerability was discovered by Will Dormann of the CERT/CC.

An In-Depth Guide to Network Security

Get essential knowledge and practical strategies to fortify your network security.
Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds