summaryrefslogtreecommitdiff
path: root/44/1ebe199165ead1577765582615f520aa04cd0f
blob: 0cad4c37749cdd224b10d6981c32efb8dfdfa6eb (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
Return-Path: <jason.davies@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id E3ACA6C
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Tue, 10 Apr 2018 08:51:46 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-wm0-f54.google.com (mail-wm0-f54.google.com [74.125.82.54])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 0DE38628
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Tue, 10 Apr 2018 08:51:45 +0000 (UTC)
Received: by mail-wm0-f54.google.com with SMTP id g8so24342054wmd.2
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Tue, 10 Apr 2018 01:51:45 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:content-transfer-encoding:mime-version
	:subject:date:references:to:in-reply-to:message-id;
	bh=rsdiwcCZLbFjweWIihj6OVUonl/DjaXyWNN2oQ6ToNo=;
	b=AmfuPP3QROfZh0LDypY2E6Ef/4XLjwPdJPtzDFbDhPNiMT6k8MAN0D4Dz1rbJw/Isb
	+nNgfiUFSclVCGN/Fjxq/PfWhDRuXQ3pRc7tNqRCZtXfsjBUwMflOuypd5EF5AqHJdYQ
	xxvNQy9eAc5pGpCuOu5ciQlo6AZyAoCqu9bp962FMDC3V0kJSOa64/09uu1kTOzJNAuZ
	IVlISiDEcPVBHm2uJfocz49b9Q365WhBE6oIffnXHtBWTjrJrIapVHX/Tl1R6JwswbHb
	UKDdBox5oyNwea2XtbPRhcUzMSy95YLIwZCB2fZbAkK1rMlUuPf/FpHCzc3eiJngzhjA
	ABJg==
X-Gm-Message-State: ALQs6tDMKsfa9+gFo9BYyNSZ4ReIYYtrqOSaC1b4ywKyBrzjjt4bWH3J
	QQnP1D+fP5QLuyOn+BRDHfGD7yJy
X-Google-Smtp-Source: AIpwx48rpNvPbnMJ/QgZ5HTIcVhgZwt2fD27z3MCfqWB6bvt0yVFdeBsw2ZA6zOlLx8o1UeND1aADg==
X-Received: by 10.28.237.11 with SMTP id l11mr929494wmh.124.1523350304349;
	Tue, 10 Apr 2018 01:51:44 -0700 (PDT)
Received: from [192.168.2.215]
	(cpc97578-walt24-2-0-cust101.13-2.cable.virginm.net. [82.1.27.102])
	by smtp.gmail.com with ESMTPSA id d9sm2666623wmh.38.2018.04.10.01.51.43
	for <bitcoin-dev@lists.linuxfoundation.org>
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 10 Apr 2018 01:51:43 -0700 (PDT)
From: Jason Davies <jason@jasondavies.com>
Content-Type: text/plain;
	charset=us-ascii
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
Date: Tue, 10 Apr 2018 09:51:51 +0100
References: <84976adb75bef1dfdb12b98c19811278@national.shitposting.agency>
	<CA+vKqYc3X6ZjVNXs0xgsLGekxPCTcLZj7t2vkyBOV_o=2C2qPA@mail.gmail.com>
	<921edfdb-e0e5-8ce4-55d8-ba4e84ef633f@musalbas.com>
	<010e34a3-f9cf-fba1-5482-de06bc350d64@musalbas.com>
	<69fb5cc4-7b3d-e23d-2b7e-cddcd7b2877b@musalbas.com>
To: bitcoin-dev@lists.linuxfoundation.org
In-Reply-To: <69fb5cc4-7b3d-e23d-2b7e-cddcd7b2877b@musalbas.com>
Message-Id: <333F9973-6092-45B7-A87F-32730D752501@jasondavies.com>
X-Mailer: Apple Mail (2.3445.6.18)
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
	RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
X-Mailman-Approved-At: Tue, 10 Apr 2018 12:24:11 +0000
Subject: Re: [bitcoin-dev] KETAMINE: Multiple vulnerabilities in
 SecureRandom(), numerous cryptocurrency products affected.
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Apr 2018 08:51:47 -0000

On 10 Apr 2018, at 00:39, mus@musalbas.com wrote:

> The original disclosure didn't contain any information about the library
> in question, so I did some digging.
>
> I think that the vulnerability disclosure is referring to a pre-2013
> version of jsbn, a JavaScript crypto library. Before it used the CSRNG
> in the Web Crypto API, it tried to use nsIDOMCrypto, but incorrectly did
> a string comparison when checking the browser version.
>
> In practice though, this doesn't really matter, because
> navigator.appVersion < "5" returns true anyway for old browsers. The
> real issue is that modern browsers don't have window.crypto.random
> defined, so Bitcoin wallets using a pre-2013 version of jsbn may not be
> using a CSPRNG, when run on a modern browser.

Yes, it looks like high-quality entropy via crypto.getRandomValues was only
added in Tom Wu's latest version (v1.4) in July 2013.

Note that even with v1.4, it still does not use high-quality entropy for
Internet Explorer, because getRandomValues is provided under window.msCrypto
for that browser.

  http://www-cs-students.stanford.edu/~tjw/jsbn/rng.js

> As is noted though, even if a CSPRNG is used, the library passes the
> output of the CSPRNG through RC4, which generates some biased bits,
> leading to possible private key recovery.

I think this is the real issue: even if high-quality entropy is utilised, the
RNG is RC4-based, which is known to generate biased output.

Finally, note that even Chrome used RC4 for crypto.getRandomValues at one
point (as recently as 2015)!

  https://bugs.chromium.org/p/chromium/issues/detail?id=552749

--
Jason Davies, https://www.jasondavies.com/