Bouncy Castle keystore: How are files vulnerable to brute force?

BKS files are being exposed to hash collisions, enabling hackers to use brute force attacks against C# and Java applications. Learn how this occurs and possible solutions with Judith Myerson.

Bouncy Castle is a collection of cryptographic APIs for Java and C#, but it was recently reported that some of the Bouncy Castle keystore files are vulnerable to hash collisions, which enable attackers to use brute force attacks to crack the cryptography behind C# and Java applications. How is this possible? What solutions has Bouncy Castle suggested?

Brute force cracking of the cryptography for C# and Java applications may be caused by a design flaw in the first version of the Bouncy Castle keystore (BKS) file of encryption keys. The flaw improperly determines the message authentication code (MAC) key size used to protect the data inside of the keystore where the key size is insufficient to prevent a hash collision attack against valid passwords.

In the BKS hashed MAC, an SHA-1 cryptographic hash function is 160 bits long. RFC 7292 on cryptographic algorithms specifies that the sizes of the MAC key and the hash function must be the same. The first version of the Bouncy Castle keystore files fails to meet this requirement if the MAC key size is 16 bits instead of the required 160 bits.

A 16-bit BKS file can have a repository of 65,536 different encryption keys -- meaning an attacker could write a simple password to crack the script to the brute force hash collisions. Furthermore, as computational power increases, attackers may find it easier to guess key values in seconds.

A CERT Coordination Center blogger at Carnegie Mellon University demonstrated how he created a brute force cracking tool with Python's pyjks library and saved the script as a Python file (crackbks.py). Upon execution, the file showed the password in plain view and the maximum size of the Bouncy Castle keystore password was found to be 16 bits.

Bouncy Castle has suggested using BKS version 1.47 or newer, as the default MAC key size of a BKS keystore file was increased from 16 bits to 160 bits to protect the keystore from hash collision attacks.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Dig Deeper on Application and platform security