Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id E3ACA6C for ; Tue, 10 Apr 2018 08:51:46 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-wm0-f54.google.com (mail-wm0-f54.google.com [74.125.82.54]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 0DE38628 for ; Tue, 10 Apr 2018 08:51:45 +0000 (UTC) Received: by mail-wm0-f54.google.com with SMTP id g8so24342054wmd.2 for ; Tue, 10 Apr 2018 01:51:45 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:date:references:to:in-reply-to:message-id; bh=rsdiwcCZLbFjweWIihj6OVUonl/DjaXyWNN2oQ6ToNo=; b=AmfuPP3QROfZh0LDypY2E6Ef/4XLjwPdJPtzDFbDhPNiMT6k8MAN0D4Dz1rbJw/Isb +nNgfiUFSclVCGN/Fjxq/PfWhDRuXQ3pRc7tNqRCZtXfsjBUwMflOuypd5EF5AqHJdYQ xxvNQy9eAc5pGpCuOu5ciQlo6AZyAoCqu9bp962FMDC3V0kJSOa64/09uu1kTOzJNAuZ IVlISiDEcPVBHm2uJfocz49b9Q365WhBE6oIffnXHtBWTjrJrIapVHX/Tl1R6JwswbHb UKDdBox5oyNwea2XtbPRhcUzMSy95YLIwZCB2fZbAkK1rMlUuPf/FpHCzc3eiJngzhjA ABJg== X-Gm-Message-State: ALQs6tDMKsfa9+gFo9BYyNSZ4ReIYYtrqOSaC1b4ywKyBrzjjt4bWH3J QQnP1D+fP5QLuyOn+BRDHfGD7yJy X-Google-Smtp-Source: AIpwx48rpNvPbnMJ/QgZ5HTIcVhgZwt2fD27z3MCfqWB6bvt0yVFdeBsw2ZA6zOlLx8o1UeND1aADg== X-Received: by 10.28.237.11 with SMTP id l11mr929494wmh.124.1523350304349; Tue, 10 Apr 2018 01:51:44 -0700 (PDT) Received: from [192.168.2.215] (cpc97578-walt24-2-0-cust101.13-2.cable.virginm.net. [82.1.27.102]) by smtp.gmail.com with ESMTPSA id d9sm2666623wmh.38.2018.04.10.01.51.43 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 10 Apr 2018 01:51:43 -0700 (PDT) From: Jason Davies Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\)) Date: Tue, 10 Apr 2018 09:51:51 +0100 References: <84976adb75bef1dfdb12b98c19811278@national.shitposting.agency> <921edfdb-e0e5-8ce4-55d8-ba4e84ef633f@musalbas.com> <010e34a3-f9cf-fba1-5482-de06bc350d64@musalbas.com> <69fb5cc4-7b3d-e23d-2b7e-cddcd7b2877b@musalbas.com> To: bitcoin-dev@lists.linuxfoundation.org In-Reply-To: <69fb5cc4-7b3d-e23d-2b7e-cddcd7b2877b@musalbas.com> Message-Id: <333F9973-6092-45B7-A87F-32730D752501@jasondavies.com> X-Mailer: Apple Mail (2.3445.6.18) X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Tue, 10 Apr 2018 12:24:11 +0000 Subject: Re: [bitcoin-dev] KETAMINE: Multiple vulnerabilities in SecureRandom(), numerous cryptocurrency products affected. X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Apr 2018 08:51:47 -0000 On 10 Apr 2018, at 00:39, mus@musalbas.com wrote: > The original disclosure didn't contain any information about the library > in question, so I did some digging. > > I think that the vulnerability disclosure is referring to a pre-2013 > version of jsbn, a JavaScript crypto library. Before it used the CSRNG > in the Web Crypto API, it tried to use nsIDOMCrypto, but incorrectly did > a string comparison when checking the browser version. > > In practice though, this doesn't really matter, because > navigator.appVersion < "5" returns true anyway for old browsers. The > real issue is that modern browsers don't have window.crypto.random > defined, so Bitcoin wallets using a pre-2013 version of jsbn may not be > using a CSPRNG, when run on a modern browser. Yes, it looks like high-quality entropy via crypto.getRandomValues was only added in Tom Wu's latest version (v1.4) in July 2013. Note that even with v1.4, it still does not use high-quality entropy for Internet Explorer, because getRandomValues is provided under window.msCrypto for that browser. http://www-cs-students.stanford.edu/~tjw/jsbn/rng.js > As is noted though, even if a CSPRNG is used, the library passes the > output of the CSPRNG through RC4, which generates some biased bits, > leading to possible private key recovery. I think this is the real issue: even if high-quality entropy is utilised, the RNG is RC4-based, which is known to generate biased output. Finally, note that even Chrome used RC4 for crypto.getRandomValues at one point (as recently as 2015)! https://bugs.chromium.org/p/chromium/issues/detail?id=552749 -- Jason Davies, https://www.jasondavies.com/