1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
|
Return-Path: <vitteaymeric@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id D5691D9B
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 10 Apr 2018 13:15:12 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-wr0-f170.google.com (mail-wr0-f170.google.com
[209.85.128.170])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 44C11627
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 10 Apr 2018 13:15:11 +0000 (UTC)
Received: by mail-wr0-f170.google.com with SMTP id o3so465950wri.2
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 10 Apr 2018 06:15:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=subject:to:references:from:openpgp:message-id:date:user-agent
:mime-version:in-reply-to:content-language;
bh=C4rFb24ZZKbj7PXA75gCBrHfJ0YUBDrqwolBydbGSrY=;
b=J3dhGWigjFROzUDDOaGiF8uk75aAGx5PwOFIaP9ODJDlo+hHDosxETFl61pFIR/M5s
+5ZIw4p217CjmzXJrmU/fyobSCeXRwP+ALlma1KqGNmAPrazHyXVBoaFP7M0JvtEWg38
rfSvdIp1A8/n9fvhsZGXSpcGgNsrFW9ASbi67X9eNtd8isx6atRu8nxBFOrx/R4dUCWE
PAg2Yu8iGZENa1by/E+7AWt2m0KeYalSDlzg/O0BUpc/DnfMKCjuhNYeqT/8BOD/nETn
ejx9UKFIZs9Xhgc6FL+f1WQfTgAad3Xw9XgZDdJ8DgfvLcVZkEuXGXETOedUpIa0tCWK
ipCg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:subject:to:references:from:openpgp:message-id
:date:user-agent:mime-version:in-reply-to:content-language;
bh=C4rFb24ZZKbj7PXA75gCBrHfJ0YUBDrqwolBydbGSrY=;
b=YJJrnLILiSX6cYFn48NUfvq59WdSdXTLASHkJ4kuv2JD15yajewP5+/IzPWwLhqLAz
HtQnZipFm4BF++/JGnDWdntiojKAFaA1JePYXWZIBQYAOtqBqtdvukX6EktffBA5W2Vv
aWXAa8YNrrX+cqlEAY4i42HjadyfqfR93cdoZKmpAeQBXbt0QnIp4u8N8CrJiX5xCFNc
W1Le+EHSOjMTUuoY3KpJ71cELmhaqptp6T0j6UU3RBwxZzxlUvzcCb93955yHvqAJEhH
LK5jPG1FXgpS/V1RjDIhtP6iun8D9jU+ferSBKLSxNIR+JD0AdsjUNSQIDar2+tBx8ix
E7Hg==
X-Gm-Message-State: ALQs6tDo3dmxGxZQmik4wWk7d6bipOgZkSoOIm5UlijHYwGvenqKt+zE
WIIzMP6JeD59vWuWLwm+snnlhQ==
X-Google-Smtp-Source: AIpwx483tpPf7c9b6yiuTYCPN5sMQnCUpkTDsbbTthoNod1Vjh7gPlK008wDqJtydslgHdVTPY+Zdg==
X-Received: by 10.223.170.4 with SMTP id p4mr282935wrd.226.1523366109516;
Tue, 10 Apr 2018 06:15:09 -0700 (PDT)
Received: from ?IPv6:2a01:cb1d:44:6500:9d6d:71b2:cb71:cb17?
([2a01:cb1d:44:6500:9d6d:71b2:cb71:cb17])
by smtp.googlemail.com with ESMTPSA id
k14sm3106011wrc.62.2018.04.10.06.15.07
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Tue, 10 Apr 2018 06:15:08 -0700 (PDT)
To: Jason Davies <jason@jasondavies.com>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
References: <84976adb75bef1dfdb12b98c19811278@national.shitposting.agency>
<CA+vKqYc3X6ZjVNXs0xgsLGekxPCTcLZj7t2vkyBOV_o=2C2qPA@mail.gmail.com>
<921edfdb-e0e5-8ce4-55d8-ba4e84ef633f@musalbas.com>
<010e34a3-f9cf-fba1-5482-de06bc350d64@musalbas.com>
<69fb5cc4-7b3d-e23d-2b7e-cddcd7b2877b@musalbas.com>
<333F9973-6092-45B7-A87F-32730D752501@jasondavies.com>
From: Aymeric Vitte <vitteaymeric@gmail.com>
Openpgp: preference=signencrypt
Message-ID: <33a9f602-6185-cac5-e457-e5a9af047dbc@gmail.com>
Date: Tue, 10 Apr 2018 15:15:22 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:52.0) Gecko/20100101
Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <333F9973-6092-45B7-A87F-32730D752501@jasondavies.com>
Content-Type: multipart/alternative;
boundary="------------7C080149BFEE5477173C69C5"
Content-Language: fr
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE,
RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Subject: Re: [bitcoin-dev] KETAMINE: Multiple vulnerabilities in
SecureRandom(), numerous cryptocurrency products affected.
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Apr 2018 13:15:12 -0000
This is a multi-part message in MIME format.
--------------7C080149BFEE5477173C69C5
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
I used jsbn in the past, then I made some research too
Apparently window.crypto.getRandomValues was introduced in jsbn mid 2012
(according to the wayback machine, but 2012/2013 does not make any
difference, see below), was available in Chrome since 2011 (but indeed
see "window.crypto.getRandomValues() uses a weak CSPRNG"
https://bugs.chromium.org/p/chromium/issues/detail?id=552749 fixed *end
*of 2015, funny to see that those that did specify the Webcrypto API did
not implement it correctly...), in FF in 2013
(https://website-archive.mozilla.org/www.mozilla.org/firefox_releasenotes/en-US/firefox/21.0/releasenotes/)
, in IE in 2013 and Safari ~2012/2013, at least that's the official
dates for the Webcrypto API implementation, maybe something existed
before, but it's not so easy to seek for the history
The window.crypto.random check is in jsbn since the begining (2006) and
only returns true for Netscape browsers before Netscape 5/6, ie Firefox
(2000), see
https://books.google.fr/books?id=UooAblGoGN8C&pg=PA85&lpg=PA85&dq=browser+appversion+4&source=bl&ots=dVijsOR0ov&sig=6SnElm56-bAvmGlKqUAdoGLAs2A&hl=fr&sa=X&ved=2ahUKEwirhtaqva_aAhUFchQKHQ4JCk4Q6AEwBXoECAAQcQ#v=onepage&q=browser%20appversion%204&f=false)
From the existing tools, there was not only jsbn, everybody was using
Math.random (sjcl, cryptoJS, forge, etc) with different implementations
and everybody did put a note stating that it might be insecure with an
"improvement to come" comment
We can probably assume that nobody was using Netscape any longer when
Bitcoin started
The conclusion seems to be that at least all wallets generated by js
tools inside browsers since bitcoin exists until 2011 are impacted by
the Math.random weakness if applicable to the related implementations,
the Math.random or RC4 (Chrome) weakness between 2011 and 2013, and RC4
weakness for Chrome users until end of 2015
And all wallets using jsbn are impacted by Math.random and RC4 until
2013 (or end 2015 for Chrome), then still by the RC4 fallback step after
> Note that even with v1.4, it still does not use high-quality entropy
for Internet Explorer, because getRandomValues is provided under
window.msCrypto for that browser
I don't know for that one, what was the issue?
Le 10/04/2018 à 10:51, Jason Davies via bitcoin-dev a écrit :
> On 10 Apr 2018, at 00:39, mus@musalbas.com wrote:
>
>> The original disclosure didn't contain any information about the library
>> in question, so I did some digging.
>>
>> I think that the vulnerability disclosure is referring to a pre-2013
>> version of jsbn, a JavaScript crypto library. Before it used the CSRNG
>> in the Web Crypto API, it tried to use nsIDOMCrypto, but incorrectly did
>> a string comparison when checking the browser version.
>>
>> In practice though, this doesn't really matter, because
>> navigator.appVersion < "5" returns true anyway for old browsers. The
>> real issue is that modern browsers don't have window.crypto.random
>> defined, so Bitcoin wallets using a pre-2013 version of jsbn may not be
>> using a CSPRNG, when run on a modern browser.
> Yes, it looks like high-quality entropy via crypto.getRandomValues was only
> added in Tom Wu's latest version (v1.4) in July 2013.
>
> Note that even with v1.4, it still does not use high-quality entropy for
> Internet Explorer, because getRandomValues is provided under window.msCrypto
> for that browser.
>
> http://www-cs-students.stanford.edu/~tjw/jsbn/rng.js
>
>> As is noted though, even if a CSPRNG is used, the library passes the
>> output of the CSPRNG through RC4, which generates some biased bits,
>> leading to possible private key recovery.
> I think this is the real issue: even if high-quality entropy is utilised, the
> RNG is RC4-based, which is known to generate biased output.
>
> Finally, note that even Chrome used RC4 for crypto.getRandomValues at one
> point (as recently as 2015)!
>
> https://bugs.chromium.org/p/chromium/issues/detail?id=552749
>
> --
> Jason Davies, https://www.jasondavies.com/
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
--
Bitcoin transactions made simple: https://github.com/Ayms/bitcoin-transactions
Zcash wallets made simple: https://github.com/Ayms/zcash-wallets
Bitcoin wallets made simple: https://github.com/Ayms/bitcoin-wallets
Get the torrent dynamic blocklist: http://peersm.com/getblocklist
Check the 10 M passwords list: http://peersm.com/findmyass
Anti-spies and private torrents, dynamic blocklist: http://torrent-live.org
Peersm : http://www.peersm.com
torrent-live: https://github.com/Ayms/torrent-live
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms
--------------7C080149BFEE5477173C69C5
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>I used jsbn in the past, then I made some research too<br>
<br>
Apparently window.crypto.getRandomValues was introduced in jsbn
mid 2012 (according to the wayback machine, but 2012/2013 does not
make any difference, see below), was available in Chrome since
2011 (but indeed see "window.crypto.getRandomValues() uses a weak
CSPRNG"
<a class="moz-txt-link-freetext" href="https://bugs.chromium.org/p/chromium/issues/detail?id=552749">https://bugs.chromium.org/p/chromium/issues/detail?id=552749</a> fixed
<b>end </b>of 2015, funny to see that those that did specify the
Webcrypto API did not implement it correctly...), in FF in 2013
(<a class="moz-txt-link-freetext" href="https://website-archive.mozilla.org/www.mozilla.org/firefox_releasenotes/en-US/firefox/21.0/releasenotes/">https://website-archive.mozilla.org/www.mozilla.org/firefox_releasenotes/en-US/firefox/21.0/releasenotes/</a>)
, in IE in 2013 and Safari ~2012/2013, at least that's the
official dates for the Webcrypto API implementation, maybe
something existed before, but it's not so easy to seek for the
history<br>
<br>
The window.crypto.random check is in jsbn since the begining
(2006) and only returns true for Netscape browsers before Netscape
5/6, ie Firefox (2000), see
<a class="moz-txt-link-freetext" href="https://books.google.fr/books?id=UooAblGoGN8C&pg=PA85&lpg=PA85&dq=browser+appversion+4&source=bl&ots=dVijsOR0ov&sig=6SnElm56-bAvmGlKqUAdoGLAs2A&hl=fr&sa=X&ved=2ahUKEwirhtaqva_aAhUFchQKHQ4JCk4Q6AEwBXoECAAQcQ#v=onepage&q=browser%20appversion%204&f=false">https://books.google.fr/books?id=UooAblGoGN8C&pg=PA85&lpg=PA85&dq=browser+appversion+4&source=bl&ots=dVijsOR0ov&sig=6SnElm56-bAvmGlKqUAdoGLAs2A&hl=fr&sa=X&ved=2ahUKEwirhtaqva_aAhUFchQKHQ4JCk4Q6AEwBXoECAAQcQ#v=onepage&q=browser%20appversion%204&f=false</a>)<br>
<br>
From the existing tools, there was not only jsbn, everybody was
using Math.random (sjcl, cryptoJS, forge, etc) with different
implementations and everybody did put a note stating that it might
be insecure with an "improvement to come" comment<br>
<br>
We can probably assume that nobody was using Netscape any longer
when Bitcoin started<br>
<br>
The conclusion seems to be that at least all wallets generated by
js tools inside browsers since bitcoin exists until 2011 are
impacted by the Math.random weakness if applicable to the related
implementations, the Math.random or RC4 (Chrome) weakness between
2011 and 2013, and RC4 weakness for Chrome users until end of 2015<br>
<br>
And all wallets using jsbn are impacted by Math.random and RC4
until 2013 (or end 2015 for Chrome), then still by the RC4
fallback step after</p>
> Note that even with v1.4, it still does not use high-quality
entropy for Internet Explorer, because getRandomValues is provided
under window.msCrypto for that browser<br>
<br>
I don't know for that one, what was the issue?<br>
<br>
<div class="moz-cite-prefix">Le 10/04/2018 à 10:51, Jason Davies via
bitcoin-dev a écrit :<br>
</div>
<blockquote type="cite"
cite="mid:333F9973-6092-45B7-A87F-32730D752501@jasondavies.com">
<pre wrap="">On 10 Apr 2018, at 00:39, <a class="moz-txt-link-abbreviated" href="mailto:mus@musalbas.com">mus@musalbas.com</a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">The original disclosure didn't contain any information about the library
in question, so I did some digging.
I think that the vulnerability disclosure is referring to a pre-2013
version of jsbn, a JavaScript crypto library. Before it used the CSRNG
in the Web Crypto API, it tried to use nsIDOMCrypto, but incorrectly did
a string comparison when checking the browser version.
In practice though, this doesn't really matter, because
navigator.appVersion < "5" returns true anyway for old browsers. The
real issue is that modern browsers don't have window.crypto.random
defined, so Bitcoin wallets using a pre-2013 version of jsbn may not be
using a CSPRNG, when run on a modern browser.
</pre>
</blockquote>
<pre wrap="">
Yes, it looks like high-quality entropy via crypto.getRandomValues was only
added in Tom Wu's latest version (v1.4) in July 2013.
Note that even with v1.4, it still does not use high-quality entropy for
Internet Explorer, because getRandomValues is provided under window.msCrypto
for that browser.
<a class="moz-txt-link-freetext" href="http://www-cs-students.stanford.edu/~tjw/jsbn/rng.js">http://www-cs-students.stanford.edu/~tjw/jsbn/rng.js</a>
</pre>
<blockquote type="cite">
<pre wrap="">As is noted though, even if a CSPRNG is used, the library passes the
output of the CSPRNG through RC4, which generates some biased bits,
leading to possible private key recovery.
</pre>
</blockquote>
<pre wrap="">
I think this is the real issue: even if high-quality entropy is utilised, the
RNG is RC4-based, which is known to generate biased output.
Finally, note that even Chrome used RC4 for crypto.getRandomValues at one
point (as recently as 2015)!
<a class="moz-txt-link-freetext" href="https://bugs.chromium.org/p/chromium/issues/detail?id=552749">https://bugs.chromium.org/p/chromium/issues/detail?id=552749</a>
--
Jason Davies, <a class="moz-txt-link-freetext" href="https://www.jasondavies.com/">https://www.jasondavies.com/</a>
_______________________________________________
bitcoin-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@lists.linuxfoundation.org</a>
<a class="moz-txt-link-freetext" href="https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev">https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Bitcoin transactions made simple: <a class="moz-txt-link-freetext" href="https://github.com/Ayms/bitcoin-transactions">https://github.com/Ayms/bitcoin-transactions</a>
Zcash wallets made simple: <a class="moz-txt-link-freetext" href="https://github.com/Ayms/zcash-wallets">https://github.com/Ayms/zcash-wallets</a>
Bitcoin wallets made simple: <a class="moz-txt-link-freetext" href="https://github.com/Ayms/bitcoin-wallets">https://github.com/Ayms/bitcoin-wallets</a>
Get the torrent dynamic blocklist: <a class="moz-txt-link-freetext" href="http://peersm.com/getblocklist">http://peersm.com/getblocklist</a>
Check the 10 M passwords list: <a class="moz-txt-link-freetext" href="http://peersm.com/findmyass">http://peersm.com/findmyass</a>
Anti-spies and private torrents, dynamic blocklist: <a class="moz-txt-link-freetext" href="http://torrent-live.org">http://torrent-live.org</a>
Peersm : <a class="moz-txt-link-freetext" href="http://www.peersm.com">http://www.peersm.com</a>
torrent-live: <a class="moz-txt-link-freetext" href="https://github.com/Ayms/torrent-live">https://github.com/Ayms/torrent-live</a>
node-Tor : <a class="moz-txt-link-freetext" href="https://www.github.com/Ayms/node-Tor">https://www.github.com/Ayms/node-Tor</a>
GitHub : <a class="moz-txt-link-freetext" href="https://www.github.com/Ayms">https://www.github.com/Ayms</a></pre>
</body>
</html>
--------------7C080149BFEE5477173C69C5--
|