Public bug reported: Dear all,
We need to fix hard-coded symmetric-key for challenge-response authentication on `uru4000 driver`. The driver uses a symmetric-key technique to encrypt the challenge data using AES encryption algorithm for authentication. "2nd generation MS devices added an AES-based challenge/response authentication scheme, where the device challenges the authenticity of the driver." link: https://gitlab.freedesktop.org/libfprint/libfprint/blob/master/libfprint/drivers/uru4000.c#L348 Unfortunately, the driver creates risk by exposing a hard-coded secret key as follows: /* For 2nd generation MS devices */ static const unsigned char crkey[] = { 0x79, 0xac, 0x91, 0x79, 0x5c, 0xa1, 0x47, 0x8e, 0x98, 0xe0, 0x0f, 0x3c, 0x59, 0x8f, 0x5f, 0x4b, }; link: https://gitlab.freedesktop.org/libfprint/libfprint/blob/master/libfprint/drivers/uru4000.c#L150 If the library wants to use challenge-response authentication, we need to introduce a new key distribution scheme also. Furthermore, I don't know why the library is really necessary to use it such a resource constrained environment. Lastly, is it a kind of CWE-321: Use of Hard-coded Cryptographic Key? (see https://cwe.mitre.org/data/definitions/321.html) Many thanks!! ** Affects: libfprint (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to libfprint in Ubuntu. https://bugs.launchpad.net/bugs/1818936 Title: Found hard-coded secret-key for challenge-response on libfprint Status in libfprint package in Ubuntu: New Bug description: Dear all, We need to fix hard-coded symmetric-key for challenge-response authentication on `uru4000 driver`. The driver uses a symmetric-key technique to encrypt the challenge data using AES encryption algorithm for authentication. "2nd generation MS devices added an AES-based challenge/response authentication scheme, where the device challenges the authenticity of the driver." link: https://gitlab.freedesktop.org/libfprint/libfprint/blob/master/libfprint/drivers/uru4000.c#L348 Unfortunately, the driver creates risk by exposing a hard-coded secret key as follows: /* For 2nd generation MS devices */ static const unsigned char crkey[] = { 0x79, 0xac, 0x91, 0x79, 0x5c, 0xa1, 0x47, 0x8e, 0x98, 0xe0, 0x0f, 0x3c, 0x59, 0x8f, 0x5f, 0x4b, }; link: https://gitlab.freedesktop.org/libfprint/libfprint/blob/master/libfprint/drivers/uru4000.c#L150 If the library wants to use challenge-response authentication, we need to introduce a new key distribution scheme also. Furthermore, I don't know why the library is really necessary to use it such a resource constrained environment. Lastly, is it a kind of CWE-321: Use of Hard-coded Cryptographic Key? (see https://cwe.mitre.org/data/definitions/321.html) Many thanks!! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libfprint/+bug/1818936/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
