Author: Stepan Snigirev 2020-02-28 14:40:21
Published on: 2020-02-28T14:40:21+00:00
When generating a digital signature, using only the message and the private key can be unsafe. Instead, all data coming from the host should be used to create a nonce, such as f(sha256(n), m, privkey). If multiple blinding factors are sent, they should all be used as well. While completely-random nonces would be better, it may not always be possible to gather sufficient entropy. Therefore, using any source of entropy available, even if not very good, can be mixed into the nonce generation function. Deterministic nonce generation is vulnerable to glitch attacks, where two identical messages can produce different signatures due to a flipped bit in the message. To prevent this, a monotonic counter should be included in the nonce generation function, such as f(sha256(n), m, privkey, entropy, counter), with the counter being increased before signing. It's important to note that Yubikey had a problem with RNG initialization which caused leakage of the private key, so it’s best to avoid pure RNG-generated nonces.
Updated on: 2023-06-13T23:48:43.307043+00:00