Published on: 2018-04-10T13:50:40+00:00
The implementation of the Web Cryptography API in Internet Explorer differs from other browsers as it uses window.msCrypto instead of window.crypto. This means that without using msCrypto.getRandomValues, high-quality entropy will not be utilized by any library under Internet Explorer. Bitcoin wallets using a pre-2013 version of jsbn, a JavaScript crypto library, may not be using a CSPRNG when run on a modern browser. Even with the latest version of jsbn, high-quality entropy is still not used for Internet Explorer because getRandomValues is provided under window.msCrypto for that browser. Additionally, the library passes the output of the CSPRNG through RC4, which generates biased bits and can lead to possible private key recovery.A vulnerability disclosure was made regarding the pre-2013 version of jsbn, stating that it contains a JavaScript class named SecureRandom() with deficient entropy collection and a PRNG. This allows for key material to be recovered by a third party with medium complexity. The library attempts to collect entropy from window.crypto's CSPRNG, but due to a type error in a comparison, this function is silently skipped. Entropy is then gathered from math.Random and a single execution of a medium-resolution timer, resulting in less than 48 bits of entropy in some configurations. The core of the RNG is an implementation of RC4, which has biases that can be exploited to recover an ECDSA private key. Necessary actions include identifying and moving funds stored using SecureRandom(), rotating all key material generated by or in contact with any software using SecureRandom(), and not passing the output of a CSPRNG through RC4.Further investigation revealed that many cryptocurrency products contain the SecureRandom() class with deficient entropy collection and a PRNG. The library attempts to collect entropy from window.crypto's CSPRNG, but a type error causes it to be skipped without failing. Entropy is then gathered from math.Random and a timer, resulting in less than 48 bits of entropy in some cases. The core of the RNG is an implementation of RC4, which has biases that can be exploited to recover an ECDSA private key. It is recommended to identify and move funds stored using SecureRandom(), rotate all key material generated by or in contact with any software using SecureRandom(), and avoid passing the output of a CSPRNG through RC4.A JavaScript class named SecureRandom() used in many cryptocurrency products has deficient entropy collection and a PRNG, allowing for key material to be recovered by a third party. The library attempts to collect entropy from window.crypto's CSPRNG, but due to a type error, this function is silently skipped. Entropy is then gathered from math.Random and a timer, resulting in less than 48 bits of entropy in some configurations. The core of the RNG is an implementation of RC4, which has biases that can be exploited to recover an ECDSA private key. It is advised to identify and move funds stored using SecureRandom(), rotate all key material generated by or in contact with any software using SecureRandom(), and avoid passing the output of a CSPRNG through RC4.
Updated on: 2023-08-01T22:52:15.274680+00:00