From: Aymeric Vitte <vitteaymeric@gmail.com>
To: Jason Davies <jason@jasondavies.com>,
Bitcoin Protocol Discussion
<bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] KETAMINE: Multiple vulnerabilities in SecureRandom(), numerous cryptocurrency products affected.
Date: Tue, 10 Apr 2018 15:15:22 +0200 [thread overview]
Message-ID: <33a9f602-6185-cac5-e457-e5a9af047dbc@gmail.com> (raw)
In-Reply-To: <333F9973-6092-45B7-A87F-32730D752501@jasondavies.com>
[-- Attachment #1: Type: text/plain, Size: 4787 bytes --]
I used jsbn in the past, then I made some research too
Apparently window.crypto.getRandomValues was introduced in jsbn mid 2012
(according to the wayback machine, but 2012/2013 does not make any
difference, see below), was available in Chrome since 2011 (but indeed
see "window.crypto.getRandomValues() uses a weak CSPRNG"
https://bugs.chromium.org/p/chromium/issues/detail?id=552749 fixed *end
*of 2015, funny to see that those that did specify the Webcrypto API did
not implement it correctly...), in FF in 2013
(https://website-archive.mozilla.org/www.mozilla.org/firefox_releasenotes/en-US/firefox/21.0/releasenotes/)
, in IE in 2013 and Safari ~2012/2013, at least that's the official
dates for the Webcrypto API implementation, maybe something existed
before, but it's not so easy to seek for the history
The window.crypto.random check is in jsbn since the begining (2006) and
only returns true for Netscape browsers before Netscape 5/6, ie Firefox
(2000), see
https://books.google.fr/books?id=UooAblGoGN8C&pg=PA85&lpg=PA85&dq=browser+appversion+4&source=bl&ots=dVijsOR0ov&sig=6SnElm56-bAvmGlKqUAdoGLAs2A&hl=fr&sa=X&ved=2ahUKEwirhtaqva_aAhUFchQKHQ4JCk4Q6AEwBXoECAAQcQ#v=onepage&q=browser%20appversion%204&f=false)
From the existing tools, there was not only jsbn, everybody was using
Math.random (sjcl, cryptoJS, forge, etc) with different implementations
and everybody did put a note stating that it might be insecure with an
"improvement to come" comment
We can probably assume that nobody was using Netscape any longer when
Bitcoin started
The conclusion seems to be that at least all wallets generated by js
tools inside browsers since bitcoin exists until 2011 are impacted by
the Math.random weakness if applicable to the related implementations,
the Math.random or RC4 (Chrome) weakness between 2011 and 2013, and RC4
weakness for Chrome users until end of 2015
And all wallets using jsbn are impacted by Math.random and RC4 until
2013 (or end 2015 for Chrome), then still by the RC4 fallback step after
> Note that even with v1.4, it still does not use high-quality entropy
for Internet Explorer, because getRandomValues is provided under
window.msCrypto for that browser
I don't know for that one, what was the issue?
Le 10/04/2018 à 10:51, Jason Davies via bitcoin-dev a écrit :
> On 10 Apr 2018, at 00:39, mus@musalbas.com wrote:
>
>> The original disclosure didn't contain any information about the library
>> in question, so I did some digging.
>>
>> I think that the vulnerability disclosure is referring to a pre-2013
>> version of jsbn, a JavaScript crypto library. Before it used the CSRNG
>> in the Web Crypto API, it tried to use nsIDOMCrypto, but incorrectly did
>> a string comparison when checking the browser version.
>>
>> In practice though, this doesn't really matter, because
>> navigator.appVersion < "5" returns true anyway for old browsers. The
>> real issue is that modern browsers don't have window.crypto.random
>> defined, so Bitcoin wallets using a pre-2013 version of jsbn may not be
>> using a CSPRNG, when run on a modern browser.
> Yes, it looks like high-quality entropy via crypto.getRandomValues was only
> added in Tom Wu's latest version (v1.4) in July 2013.
>
> Note that even with v1.4, it still does not use high-quality entropy for
> Internet Explorer, because getRandomValues is provided under window.msCrypto
> for that browser.
>
> http://www-cs-students.stanford.edu/~tjw/jsbn/rng.js
>
>> As is noted though, even if a CSPRNG is used, the library passes the
>> output of the CSPRNG through RC4, which generates some biased bits,
>> leading to possible private key recovery.
> I think this is the real issue: even if high-quality entropy is utilised, the
> RNG is RC4-based, which is known to generate biased output.
>
> Finally, note that even Chrome used RC4 for crypto.getRandomValues at one
> point (as recently as 2015)!
>
> https://bugs.chromium.org/p/chromium/issues/detail?id=552749
>
> --
> Jason Davies, https://www.jasondavies.com/
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
--
Bitcoin transactions made simple: https://github.com/Ayms/bitcoin-transactions
Zcash wallets made simple: https://github.com/Ayms/zcash-wallets
Bitcoin wallets made simple: https://github.com/Ayms/bitcoin-wallets
Get the torrent dynamic blocklist: http://peersm.com/getblocklist
Check the 10 M passwords list: http://peersm.com/findmyass
Anti-spies and private torrents, dynamic blocklist: http://torrent-live.org
Peersm : http://www.peersm.com
torrent-live: https://github.com/Ayms/torrent-live
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms
[-- Attachment #2: Type: text/html, Size: 7591 bytes --]
next prev parent reply other threads:[~2018-04-10 13:15 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-06 19:53 [bitcoin-dev] KETAMINE: Multiple vulnerabilities in SecureRandom(), numerous cryptocurrency products affected ketamine
2018-04-06 20:51 ` Matias Alejo Garcia
2018-04-09 21:11 ` Mustafa Al-Bassam
2018-04-09 21:17 ` Mustafa Al-Bassam
2018-04-09 23:39 ` Mustafa Al-Bassam
2018-04-10 8:51 ` Jason Davies
2018-04-10 13:15 ` Aymeric Vitte [this message]
2018-04-10 13:32 ` Jason Davies
2018-04-10 13:50 ` Aymeric Vitte
2018-04-10 0:42 ` Jason Davies
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=33a9f602-6185-cac5-e457-e5a9af047dbc@gmail.com \
--to=vitteaymeric@gmail.com \
--cc=bitcoin-dev@lists.linuxfoundation.org \
--cc=jason@jasondavies.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox