Author: ketamine at national.shitposting.agency 2018-04-06 19:53:13
Published on: 2018-04-06T19:53:13+00:00
A significant number of past and current cryptocurrency products contain a JavaScript class named SecureRandom() that has deficient entropy collection and a PRNG, which means that key material can be recovered by third-party with medium complexity. Although there are a substantial number of variations of this SecureRandom() class in various pieces of software, some with bugs fixed, some with additional bugs added, the most common variations attempt to collect entropy from window.crypto's CSPRNG, but due to a type error in a comparison, this function is silently stepped over without failing.Entropy is subsequently gathered from math.Random, which is a 48-bit linear congruential generator seeded by the time in some browsers, and a single execution of a medium-resolution timer. The core of the RNG is an implementation of RC4 ("arcfour random"), and the output is often directly used for the creation of private key material as well as cryptographic nonces for ECDSA signatures. However, RC4 has biases of several bits that are publicly known, which are likely sufficient for a lattice solver to recover an ECDSA private key given a number of signatures.Therefore, it is necessary to identify and move all funds stored using SecureRandom(), rotate all key material generated by or come into contact with any piece of software using SecureRandom(), not write cryptographic tools in non-type safe languages, and don't take the output of a CSPRNG and pass it through RC4. It should be noted that products that aren't vulnerable today due to moving to other libraries may be using old keys that have been previously compromised by usage of SecureRandom().
Updated on: 2023-06-13T01:24:54.941482+00:00