The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Bouncy Castle JCE: incorrect computation of NatX.square

Synthesis of the vulnerability 

An attacker can use a computation error in NatX.square() in the ECDH implementation of Bouncy Castle JCE, in order to obtain a static key.
Vulnerable software: Bouncy Castle JCE.
Severity of this announce: 1/4.
Creation date: 29/11/2016.
Références of this computer vulnerability: VIGILANCE-VUL-21223.

Description of the vulnerability 

The Bouncy Castle JCE product offers methods to square numbers: Nat192.square(), Nat256.square(), SecP384R1Field.square(), etc. These functions are only used to compute with elliptic curves.

However, an error occurs in 1/2^48 cases, which is undetected in 1/2^100 cases. When static (not ephemeral) keys are used with ECDH, an attacker can thus progressively compute the key.

An attacker can therefore use a computation error in NatX.square() in the ECDH implementation of Bouncy Castle JCE, in order to obtain a static key.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer weakness announce impacts software or systems such as Bouncy Castle JCE.

Our Vigil@nce team determined that the severity of this security alert is low.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this vulnerability.

Solutions for this threat 

Bouncy Castle JCE: version 1.56 beta 7.
The version 1.56 beta 7 is fixed:
  https://www.bouncycastle.org/betas

Bouncy Castle JCE: workaround for Static ECDH Ciphersuites.
A workaround is to disable Static ECDH Ciphersuites for TLS/JSSE.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a network vulnerability patch. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.