CVE-2022-31021

Name of the Vulnerable Software and Affected Versions Ursa (affected versions not specified)

Description A weakness in the Hyperledger AnonCreds specification is not mitigated in the Ursa and AnonCreds implementations, allowing a malicious issuer to create a custom CL Signature implementation that uses weakened private keys. This could enable the issuer to determine the holder to which the credential was issued, impacting holders of AnonCreds credentials implemented using the CL-signature scheme. The Ursa and AnonCreds CL-Signatures implementations always generate a sufficient private key, but a malicious issuer could deliberately generate a private key that lacks the required characteristics, such as p and q being safe primes.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. However, as a mitigation measure, issuers in existing ecosystems can share a key correctness proof with their ecosystem co-participants in an ad hoc manner, demonstrating that the generated private key is sufficient to meet the unlinkability guarantees of AnonCreds. This can be achieved by publishing a key correctness proof, such as the one described by Jan Camenisch and Markus Michels, which proves the characteristics of the private key, including that p and q are safe primes.