Found hard-coded secret-key for challenge-response on libfprint
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libfprint |
Fix Released
|
Unknown
|
|||
libfprint (Ubuntu) |
Invalid
|
High
|
Unassigned |
Bug Description
Dear all,
We need to fix hard-coded symmetric-key for challenge-response authentication on `uru4000 driver`.
The driver uses a symmetric-key technique to encrypt the challenge data using AES encryption algorithm for authentication.
"2nd generation MS devices added an AES-based challenge/response authentication scheme, where the device challenges the authenticity of the driver."
link: https:/
Unfortunately, the driver creates risk by exposing a hard-coded secret key as follows:
/* For 2nd generation MS devices */
static const unsigned char crkey[] = {
0x79, 0xac, 0x91, 0x79, 0x5c, 0xa1, 0x47, 0x8e,
0x98, 0xe0, 0x0f, 0x3c, 0x59, 0x8f, 0x5f, 0x4b,
};
link: https:/
If the library wants to use challenge-response authentication, we need to introduce a new key distribution scheme also.
Furthermore, I don't know why the library is really necessary to use it such a resource constrained environment.
Lastly, is it a kind of CWE-321: Use of Hard-coded Cryptographic Key? (see https:/
Many thanks!!
information type: | Public → Public Security |
Changed in libfprint: | |
status: | Unknown → New |
Changed in libfprint: | |
status: | New → Fix Released |
Thank you for your bug report, could you maybe report that upstream? We don't have any active maintainer for that stack in Ubuntu and upstream is better placed to respond to the issues you are raising