Author: Mustafa Al-Bassam 2018-04-09 21:11:02
Published on: 2018-04-09T21:11:02+00:00
A JavaScript class named SecureRandom() used in many cryptocurrency products contains deficient entropy collection and a PRNG, allowing for key material to be recovered by a third party with medium complexity. The library attempts to collect entropy from window.crypto's CSPRNG, but due to a type error in a comparison this function is silently stepped over without failing. Entropy is subsequently gathered from math.Random (a 48bit linear congruential generator, seeded by the time in some browsers), and a single execution of a medium resolution timer. In some known configurations this system has substantially less than 48 bits of entropy. The core of the RNG is an implementation of RC4 ("arcfour random"), and the output is often directly used for the creation of private key material as well as cryptographic nonces for ECDSA signatures. Necessary actions include identifying and moving all funds stored using SecureRandom(), rotating all key material generated by or that has come into contact with any piece of software using SecureRandom(), not writing cryptographic tools in non-type safe languages, and not taking the output of a CSPRNG and passing it through RC4.
Updated on: 2023-06-13T01:26:21.539003+00:00