Sonatype examines Bouncycastle’s open source vulnerabilities
In the continuation of our series examining Sonatype’s White Paper, we explore the specific open source vulnerabilities of Bouncycastle.
Ranked fifth on the most vulnerable open source components commonly used by Financial Services organisations list, Bouncycastle first originated in the late 90s as an effort by creators to combine their dual interests in cryptography and open source. It saw its first API released in 2000 at 27,000 lines long, which was subsequently eclipsed in 2012 with a Java code base in excess of 300,000 lines and a C# iteration of over 140,000.
Identifying its primary vulnerability as ‘information exposure’ (vulnerability CVE-2018-5382), the severity of the problem is summarised by Sonatype as follows:
Bouncy Castle BKS version 1 file is vulnerable to a brute force breach using associated metadata with a file format kept largely unprotected by default.” The following components are affected:
- org.bouncycastle : bcprov-jdk14 : ( , 1.47)
- org.bouncycastle : bcprov-jdk15on : ( , 1.47)
- org.bouncycastle : bcprov-jdk16 : ( , )
The reason for this exposure lies in the package’s less-than-desirable encryption strength. The highly vulnerable ‘engineLoad()` function (part of the ‘JDKKeyStore.class` file) uses the aforementioned BKS V1 file, meaning that sensitive data can easily be compromised.
Attack mechanics and remediation procedure
A brute force timing or side-channel attack manifests itself by flooding a system with multiple values at once. The perpetrator can then deduce information from the time it takes to generate an incorrect answer from a correct one.
Ultimately, the root cause for the vulnerability is the BKS V1’s outdated 16-bit HMAC (keyed-hash message authentication code), which simply cannot repel the capabilities of modern hardware.
Sonatype’s recommended course of remediation is simple: upgrade to version 1.47 or newer. This update boosts the HMAC to a far more substantial 160-bit, which is enough to resolve the CVE-2018-5382 vulnerability.
The whitepaper adds, “For users of `org.bouncycastle:bcprov-jdk14` and `org.bouncycastle:bcprov-jdk15on` components, upgrading to version 1.47
is the recommended solution.
“However, a fixed version for `org.bouncycastle:bcprov-jdk16` component does not exist in Maven Central as of writing this piece.”
NFTs: A token of trust in the digital world
NFTs have recently taken the world by storm, as media headlines in the last month will attest. The digital artist Beeple sold the NFT for one of his pieces for a record US$69mn in a Christie’s auction. Jack Dorsey just sold a digital version of his first tweet for over $2.9mn in the same way, with the buyer comparing it to the Mona Lisa. The band Kings of Leon are even selling their new album in the form of an NFT.
In simple terms, NFTs, or non-fungible tokens, provide verification of ownership of a digital asset. They are unique digital tokens stored on a blockchain ledger, which means that they cannot be changed or tampered with. Traditional artworks, such as paintings or sculptures, are valuable because they are one of a kind and cannot be replicated. Conversely, digital files can be easily – and endlessly – copied. However, by purchasing an NFT, the buyer can prove that they own the rights to the "original" digital asset.
There have been mixed responses to NFTs’ sudden popularity, with some seeing it as the emergence of a new asset class, while others cannot wrap their heads around the idea of paying such large sums of money for a digital asset that can be duplicated.
However, surely this is a natural evolution in today’s digital world? As with traditional art, digital art is only worth what someone is willing to pay for it. In theory, anyone could have an excellent replica made of a traditional artwork if they wanted to, but a large part of art’s value is derived from its originality. Serious art collectors don’t want a copy. Countless people around the world have Matisse prints on their walls, but it isn’t the same as owning the original painting. Why should it be so different for digital art?
Blockchain is enabling monetary value to be assigned to the “digital twin” of a physical asset and, by virtue of distributed ledger technology, creating a virtual environment in which the authenticity of a digital asset or “twin” is a separate value in its own right - due to the unique corresponding verification on a blockchain. Digital twins have not instantly taken off in the mainstream, as the risk of duplication has been a significant deterrent – however, NFTs are paving the way for a new era of trust in digital assets.
For our part, we see NFTs as yet another way that blockchain is creating opportunities and shaping the world in which we live. Blockchain’s ability to record data securely and immutably is an incredibly important technological advancement, and it is no surprise that it is being capitalised on in so many different ways.
This powerful technology has certainly come a long way since its origins as the foundation of cryptocurrency, and we are seeing new applications every day. We set up Finboot in the first place because we could see the value of introducing blockchain to enterprise supply and value chains, and we’re seeing the technology deployed in a number of ways by our clients, from invoice reconciliation to the verification of sustainability credentials, giving them a competitive edge as well as building trust.
Some might be skeptical about NFTs but they would be wrong to dismiss it as a passing fad. NFTs effectively solve the problem of authenticity and, because the tokens are stored on a decentralised database, the record is public, significantly reducing the possibility of theft or fraud or theft. NFTs are a game-changer, and this is just the start.