Author: Mustafa Al-Bassam 2018-04-09 23:39:15
Published on: 2018-04-09T23:39:15+00:00
A vulnerability disclosure made regarding a pre-2013 version of jsbn, a JavaScript crypto library, may affect a significant number of past and current cryptocurrency products. The class named SecureRandom() in these products contains both entropy collection and a PRNG that are deficient to the degree that key material can be recovered by a third party with medium complexity. The most common variations of the library attempt to collect entropy from window.crypto's CSPRNG, but due to a type error in a comparison, this function is silently stepped over without failing. Entropy is subsequently gathered from math.Random and a single execution of a medium resolution timer. In some known configurations, this system has less than 48 bits of entropy. RC4 ("arcfour random") is used as the core of the RNG, which is publicly known to have biases of several bits that are likely sufficient for a lattice solver to recover an ECDSA private key given a number of signatures. Necessary actions recommended include identifying and moving all funds stored using SecureRandom(), rotating all key material generated by or in contact with any software using SecureRandom(), not writing cryptographic tools in non-type safe languages, and not taking the output of a CSPRNG and passing it through RC4.
Updated on: 2023-06-13T01:25:55.128535+00:00