Conclusion from the upstream bug is that it needs to be fixed in the
hardware, closing
** Changed in: libfprint (Ubuntu)
Status: Triaged => Invalid
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to libfprint in Ubuntu.
https://bugs.launchpad.net/bugs/1818936
Title:
Found hard-coded secret-key for challenge-response on libfprint
Status in libfprint:
Fix Released
Status in libfprint package in Ubuntu:
Invalid
Bug description:
Dear all,
We need to fix hard-coded symmetric-key for challenge-response
authentication on `uru4000 driver`.
The driver uses a symmetric-key technique to encrypt the challenge
data using AES encryption algorithm for authentication.
"2nd generation MS devices added an AES-based challenge/response
authentication scheme, where the device challenges the authenticity of the
driver."
link:
https://gitlab.freedesktop.org/libfprint/libfprint/blob/master/libfprint/drivers/uru4000.c#L348
Unfortunately, the driver creates risk by exposing a hard-coded secret
key as follows:
/* For 2nd generation MS devices */
static const unsigned char crkey[] = {
0x79, 0xac, 0x91, 0x79, 0x5c, 0xa1, 0x47, 0x8e,
0x98, 0xe0, 0x0f, 0x3c, 0x59, 0x8f, 0x5f, 0x4b,
};
link:
https://gitlab.freedesktop.org/libfprint/libfprint/blob/master/libfprint/drivers/uru4000.c#L150
If the library wants to use challenge-response authentication, we need
to introduce a new key distribution scheme also.
Furthermore, I don't know why the library is really necessary to use
it such a resource constrained environment.
Lastly, is it a kind of CWE-321: Use of Hard-coded Cryptographic Key? (see
https://cwe.mitre.org/data/definitions/321.html)
Many thanks!!
To manage notifications about this bug go to:
https://bugs.launchpad.net/libfprint/+bug/1818936/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
