Re: [bitcoin-dev] KETAMINE: Multiple vulnerabilities in SecureRandom(), numerous cryptocurrency products affected.
>> Note that even with v1.4, it still does not use high-quality entropy for >> Internet Explorer, because getRandomValues is provided under window.msCrypto >> for that browser. > > I don't know for that one, what was the issue? I simply meant that Internet Explorer implements the Web Cryptography API under window.msCrypto instead of window.crypto. Thus, unless msCrypto.getRandomValues is used, high-quality entropy will not have been used by any of these libraries under Internet Explorer. -- Jason Davies, https://www.jasondavies.com/ ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Re: [bitcoin-dev] KETAMINE: Multiple vulnerabilities in SecureRandom(), numerous cryptocurrency products affected.
On 10 Apr 2018, at 00:39, m...@musalbas.com wrote: > The original disclosure didn't contain any information about the library > in question, so I did some digging. > > I think that the vulnerability disclosure is referring to a pre-2013 > version of jsbn, a JavaScript crypto library. Before it used the CSRNG > in the Web Crypto API, it tried to use nsIDOMCrypto, but incorrectly did > a string comparison when checking the browser version. > > In practice though, this doesn't really matter, because > navigator.appVersion < "5" returns true anyway for old browsers. The > real issue is that modern browsers don't have window.crypto.random > defined, so Bitcoin wallets using a pre-2013 version of jsbn may not be > using a CSPRNG, when run on a modern browser. Yes, it looks like high-quality entropy via crypto.getRandomValues was only added in Tom Wu's latest version (v1.4) in July 2013. Note that even with v1.4, it still does not use high-quality entropy for Internet Explorer, because getRandomValues is provided under window.msCrypto for that browser. http://www-cs-students.stanford.edu/~tjw/jsbn/rng.js > As is noted though, even if a CSPRNG is used, the library passes the > output of the CSPRNG through RC4, which generates some biased bits, > leading to possible private key recovery. I think this is the real issue: even if high-quality entropy is utilised, the RNG is RC4-based, which is known to generate biased output. Finally, note that even Chrome used RC4 for crypto.getRandomValues at one point (as recently as 2015)! https://bugs.chromium.org/p/chromium/issues/detail?id=552749 -- Jason Davies, https://www.jasondavies.com/ ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Re: [bitcoin-dev] KETAMINE: Multiple vulnerabilities in SecureRandom(), numerous cryptocurrency products affected.
These issues all stem from the RC4-based RNG implementation (with insecure fallback entropy) in Tom Wu's jsbn library, published here: http://www-cs-students.stanford.edu/~tjw/jsbn/ Please refer to Tom Wu's URL, or this more up-to-date fork of Tom Wu's code (published to NPM): https://github.com/andyperlitch/jsbn -- my repository on GitHub was only ever intended to be a straight mirror of Tom Wu's code (created over 7 years ago!). I'll probably delete my mirror repository given that there are now better JavaScript bignum alternatives, and in light of this report. Jason > On 9 Apr 2018, at 22:11, m...@musalbas.com wrote: > > Here's the code in question: https://github.com/jasondavies/jsbn/pull/7 > > Best, > > Mustafa -- Jason Davies, http://www.jasondavies.com/ ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
