summaryrefslogtreecommitdiff
path: root/0d/a808af395b26e353e1d29cb6d4322fad08ebc3
blob: f3f1cd361a222079fc47debd728008062b404d27 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
Return-Path: <ketamine@national.shitposting.agency>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 810FBEBD
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Fri,  6 Apr 2018 20:00:04 +0000 (UTC)
X-Greylist: delayed 00:06:48 by SQLgrey-1.7.6
Received: from cock.li (cock.li [185.100.85.212])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id CC861335
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Fri,  6 Apr 2018 20:00:03 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	T_DKIM_INVALID autolearn=no version=3.3.1
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
	d=national.shitposting.agency; s=mail; t=1523044393;
	bh=DvTXaYTMBy04CRuHM2mpMb8e8mIj6FOQDDf6bvyFqTc=;
	h=Date:From:To:Subject:From;
	b=CPQ1tOvFK8jGjNQ3KOwRxNpFmctGd5fDBEDAk54IFsG5SETnbwgKws1u0un0MtQa3
	p01MLT51NLMfB34Ai05UspFkPRe1PnPQGK/FSLXchfuGEqYovoQ8q23gScfYdVKJDf
	veJGE8e2qR320lWIRveAsBzqpZu+4EKqiK5p33dpCR2Kk7D3m7KyS5trP+6QJcgcw9
	PNr5VCTF0p3UkAu1UF39nHaipPIvlEu4sFadh/cUWEEfJS6JQgXNGfZz1JzsSwuo/V
	gFc7XA3J5qOOOWWtjUaVfm2+r6p1fxteTayumAj4lKQvui2cTRDEVEl4A794RLqbh5
	FFD5shh6k25wQ==
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit
Date: Fri, 06 Apr 2018 21:53:13 +0200
From: ketamine@national.shitposting.agency
To: bitcoin-dev@lists.linuxfoundation.org
X-Priority: 2 (High)
Message-ID: <84976adb75bef1dfdb12b98c19811278@national.shitposting.agency>
X-Sender: ketamine@national.shitposting.agency
User-Agent: Roundcube Webmail/1.3.3
X-Mailman-Approved-At: Fri, 06 Apr 2018 20:30:48 +0000
Subject: [bitcoin-dev] KETAMINE: Multiple vulnerabilities in SecureRandom(),
 numerous cryptocurrency products affected.
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Apr 2018 20:00:04 -0000

A significant number of past and current cryptocurrency products
contain a JavaScript class named SecureRandom(), containing both
entropy collection and a PRNG. The entropy collection and the RNG
itself are both deficient to the degree that key material can be
recovered by a third party with medium complexity. There are a
substantial number of variations of this SecureRandom() class in
various pieces of software, some with bugs fixed, some with additional
bugs added. Products that aren't today vulnerable due to moving to
other libraries may be using old keys that have been previously
compromised by usage of SecureRandom().


The most common variations of the library attempts to collect entropy
from window.crypto's CSPRNG, but due to a type error in a comparison
this function is silently stepped over without failing. Entropy is
subsequently gathered from math.Random (a 48bit linear congruential
generator, seeded by the time in some browsers), and a single
execution of a medium resolution timer. In some known configurations
this system has substantially less than 48 bits of entropy.

The core of the RNG is an implementation of RC4 ("arcfour random"),
and the output is often directly used for the creation of private key
material as well as cryptographic nonces for ECDSA signatures. RC4 is
publicly known to have biases of several bits, which are likely
sufficient for a lattice solver to recover a ECDSA private key given a
number of signatures. One popular Bitcoin web wallet re-initialized
the RC4 state for every signature which makes the biases bit-aligned,
but in other cases the Special K would be manifest itself over
multiple transactions.


Necessary action:

   * identify and move all funds stored using SecureRandom()

   * rotate all key material generated by, or has come into contact
     with any piece of software using SecureRandom()

   * do not write cryptographic tools in non-type safe languages

   * don't take the output of a CSPRNG and pass it through RC4

-
3CJ99vSipFi9z11UdbdZWfNKjywJnY8sT8