Author: Aymeric Vitte 2018-04-10 13:15:22
Published on: 2018-04-10T13:15:22+00:00
The vulnerability disclosure refers to a pre-2013 version of jsbn, a JavaScript crypto library. Before it used the CSRNG in the Web Crypto API, it tried to use nsIDOMCrypto, but incorrectly did a string comparison when checking the browser version. It was discovered that modern browsers do not have window.crypto.random defined, so Bitcoin wallets using a pre-2013 version of jsbn may not be using a CSPRNG when run on a modern browser. Even if a CSPRNG is used, the library passes the output of the CSPRNG through RC4, which generates some biased bits, leading to possible private key recovery. High-quality entropy via crypto.getRandomValues was only added in Tom Wu's latest version (v1.4) in July 2013. However, it still does not use high-quality entropy for Internet Explorer, because getRandomValues is provided under window.msCrypto for that browser. The Math.random weakness and RC4 weakness impacted all wallets generated by js tools inside browsers since bitcoin exists until 2011. Between 2011 and 2013, the Math.random or RC4 (Chrome) weakness were affected. RC4 weakness for Chrome users lasted until the end of 2015. All wallets using jsbn are impacted by Math.random and RC4 until 2013 (or end 2015 for Chrome), then still by the RC4 fallback step after.
Updated on: 2023-06-13T01:24:20.254928+00:00