Author: Mustafa Al-Bassam 2018-04-09 21:17:11
Published on: 2018-04-09T21:17:11+00:00
On April 6, 2018, a user named ketamine--- posted on the bitcoin-dev mailing list stating that a significant number of past and current cryptocurrency products contain a JavaScript class named SecureRandom(), which has deficient entropy collection and a PRNG to the degree that key material can be recovered by a third party with medium complexity. There are many variations of this SecureRandom() class found in various pieces of software, some with bugs fixed and some with additional bugs added. The core of the RNG is an implementation of RC4 ("arcfour random"), and the output is often directly used for the creation of private key material as well as cryptographic nonces for ECDSA signatures. The most common variations of the library attempt to collect entropy from window.crypto's CSPRNG, but due to a type error in a comparison, this function is silently stepped over without failing. Entropy is subsequently gathered from math.Random (a 48bit linear congruential generator seeded by the time in some browsers) and a single execution of a medium resolution timer. In some known configurations, this system has substantially less than 48 bits of entropy. RC4 is publicly known to have biases of several bits, which are likely sufficient for a lattice solver to recover an ECDSA private key given a number of signatures. One popular Bitcoin web wallet re-initialized the RC4 state for every signature which makes the biases bit-aligned, but in other cases the Special K would be manifest itself over multiple transactions. Mustafa Al-Bassam shared the code in question on Github: https://github.com/jasondavies/jsbn/pull/7. The necessary action recommended includes identifying and moving all funds stored using SecureRandom(), rotating all key material generated by or that has come into contact with any piece of software using SecureRandom(), not writing cryptographic tools in non-type safe languages, and not taking the output of a CSPRNG and passing it through RC4.
Updated on: 2023-06-13T01:25:37.015780+00:00