1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
|
Return-Path: <ematiu@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id B0511D66
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 6 Apr 2018 20:51:33 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-ua0-f176.google.com (mail-ua0-f176.google.com
[209.85.217.176])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 00750621
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 6 Apr 2018 20:51:32 +0000 (UTC)
Received: by mail-ua0-f176.google.com with SMTP id q12so1510721uae.4
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 06 Apr 2018 13:51:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:in-reply-to:references:from:date:message-id:subject:to;
bh=IaqJwjWUL8iIWIY3HV025zUtl2iHIw2lNpDUH4yhOmc=;
b=fYAt6aqdhNwDS0Id+RgQRXJ4Ox/EIYtpNP4zF7B4hBOVcPbG4+IXNImodjExueyK2C
f2xi1RDx6ca+wI/5krZUa5mscq5VmpjVibbEzay9nVHTukeCy0Ls2XBbvf94zxpTwAW+
xE9bld8XaONYE6OT33LPaMqqldnuFGSlamk6/tJ/5dvpKWqCxr0znvLMkEfvYqxkqbqJ
/fA0HaVpo5UXhXsqaCageGUYbnrhODFoiuqM7KOs6dn5y+j56BuA9qbIVQSsSB9obOZV
Y60KjCbVQWyXVHiKbGTInzwKBc285fbhm/hQZ+Hn6/K+SCYz0ONSyUp+DXBMrcqxBzOI
CZqQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:in-reply-to:references:from:date
:message-id:subject:to;
bh=IaqJwjWUL8iIWIY3HV025zUtl2iHIw2lNpDUH4yhOmc=;
b=Uv50ZKkaryjjwc7t/RqAJhxBb43HPNy0gFVwVqmDUsfBXnlY2bQcwCm6MYU9z4ClJU
cCeurWgYoVqj3W3QUixyOJyfuy1CUIwSdiFxEgqw8C0gpon1QxKVBTubElTQnOn2PKzG
mgziqBFG+ooBmmuWSM6eCyxd+f3gKWNNcaPKQDH4ZeGgil7Zf4BmxhkKGFCSoTKsqA50
JMWzxYlx28WYjxtOW/3+nFW1poVQeijWUJkRz4I6/TJe7kHSzQKbKecPW5/ZFRs1p5So
ncwW/hT074FoY3QCGLpD4a0GiAkSkQaNj2XoLO13q3kGGImBeNFMehVcdTxYxqW82WBn
EkXw==
X-Gm-Message-State: ALQs6tCCxh04r507ns43m29Mz/mdlY++DHgQbVfwEyblw/ANq7GgFJPL
0sKtDm8t2Pcd9dxI/2z9EwhfSIy+7oW61shCGw0=
X-Google-Smtp-Source: AIpwx48xKjpyiE8AFSco0GFaIb6SGxqi7fGkC204YulzQjPl7LXaiIPL6WcixzX0hPRBohjyfXdVx7MWeMqTxTWNnuQ=
X-Received: by 10.159.34.241 with SMTP id 104mr17851544uan.182.1523047891999;
Fri, 06 Apr 2018 13:51:31 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.90.28 with HTTP; Fri, 6 Apr 2018 13:51:11 -0700 (PDT)
In-Reply-To: <84976adb75bef1dfdb12b98c19811278@national.shitposting.agency>
References: <84976adb75bef1dfdb12b98c19811278@national.shitposting.agency>
From: Matias Alejo Garcia <ematiu@gmail.com>
Date: Fri, 6 Apr 2018 17:51:11 -0300
Message-ID: <CA+vKqYc3X6ZjVNXs0xgsLGekxPCTcLZj7t2vkyBOV_o=2C2qPA@mail.gmail.com>
To: ketamine@national.shitposting.agency,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="94eb2c04c9329420db0569343817"
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE,
RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Fri, 06 Apr 2018 20:55:56 +0000
Subject: Re: [bitcoin-dev] KETAMINE: Multiple vulnerabilities in
SecureRandom(), numerous cryptocurrency products affected.
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Apr 2018 20:51:33 -0000
--94eb2c04c9329420db0569343817
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Source?
On Fri, Apr 6, 2018 at 4:53 PM, ketamine--- via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> A significant number of past and current cryptocurrency products
> contain a JavaScript class named SecureRandom(), containing both
> entropy collection and a PRNG. The entropy collection and the RNG
> itself are both deficient to the degree that key material can be
> recovered by a third party with medium complexity. There are a
> substantial number of variations of this SecureRandom() class in
> various pieces of software, some with bugs fixed, some with additional
> bugs added. Products that aren't today vulnerable due to moving to
> other libraries may be using old keys that have been previously
> compromised by usage of SecureRandom().
>
>
> The most common variations of the library attempts to collect entropy
> from window.crypto's CSPRNG, but due to a type error in a comparison
> this function is silently stepped over without failing. Entropy is
> subsequently gathered from math.Random (a 48bit linear congruential
> generator, seeded by the time in some browsers), and a single
> execution of a medium resolution timer. In some known configurations
> this system has substantially less than 48 bits of entropy.
>
> The core of the RNG is an implementation of RC4 ("arcfour random"),
> and the output is often directly used for the creation of private key
> material as well as cryptographic nonces for ECDSA signatures. RC4 is
> publicly known to have biases of several bits, which are likely
> sufficient for a lattice solver to recover a ECDSA private key given a
> number of signatures. One popular Bitcoin web wallet re-initialized
> the RC4 state for every signature which makes the biases bit-aligned,
> but in other cases the Special K would be manifest itself over
> multiple transactions.
>
>
> Necessary action:
>
> * identify and move all funds stored using SecureRandom()
>
> * rotate all key material generated by, or has come into contact
> with any piece of software using SecureRandom()
>
> * do not write cryptographic tools in non-type safe languages
>
> * don't take the output of a CSPRNG and pass it through RC4
>
> -
> 3CJ99vSipFi9z11UdbdZWfNKjywJnY8sT8
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
--=20
Mat=C3=ADas Alejo Garcia
@ematiu
Roads? Where we're going, we don't need roads!
--94eb2c04c9329420db0569343817
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Source?=C2=A0</div><div class=3D"gmail_extra"><br><div cla=
ss=3D"gmail_quote">On Fri, Apr 6, 2018 at 4:53 PM, ketamine--- via bitcoin-=
dev <span dir=3D"ltr"><<a href=3D"mailto:bitcoin-dev@lists.linuxfoundati=
on.org" target=3D"_blank">bitcoin-dev@lists.linuxfoundation.org</a>></sp=
an> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;=
border-left:1px #ccc solid;padding-left:1ex">A significant number of past a=
nd current cryptocurrency products<br>
contain a JavaScript class named SecureRandom(), containing both<br>
entropy collection and a PRNG. The entropy collection and the RNG<br>
itself are both deficient to the degree that key material can be<br>
recovered by a third party with medium complexity. There are a<br>
substantial number of variations of this SecureRandom() class in<br>
various pieces of software, some with bugs fixed, some with additional<br>
bugs added. Products that aren't today vulnerable due to moving to<br>
other libraries may be using old keys that have been previously<br>
compromised by usage of SecureRandom().<br>
<br>
<br>
The most common variations of the library attempts to collect entropy<br>
from window.crypto's CSPRNG, but due to a type error in a comparison<br=
>
this function is silently stepped over without failing. Entropy is<br>
subsequently gathered from math.Random (a 48bit linear congruential<br>
generator, seeded by the time in some browsers), and a single<br>
execution of a medium resolution timer. In some known configurations<br>
this system has substantially less than 48 bits of entropy.<br>
<br>
The core of the RNG is an implementation of RC4 ("arcfour random"=
),<br>
and the output is often directly used for the creation of private key<br>
material as well as cryptographic nonces for ECDSA signatures. RC4 is<br>
publicly known to have biases of several bits, which are likely<br>
sufficient for a lattice solver to recover a ECDSA private key given a<br>
number of signatures. One popular Bitcoin web wallet re-initialized<br>
the RC4 state for every signature which makes the biases bit-aligned,<br>
but in other cases the Special K would be manifest itself over<br>
multiple transactions.<br>
<br>
<br>
Necessary action:<br>
<br>
=C2=A0 * identify and move all funds stored using SecureRandom()<br>
<br>
=C2=A0 * rotate all key material generated by, or has come into contact<br>
=C2=A0 =C2=A0 with any piece of software using SecureRandom()<br>
<br>
=C2=A0 * do not write cryptographic tools in non-type safe languages<br>
<br>
=C2=A0 * don't take the output of a CSPRNG and pass it through RC4<br>
<br>
-<br>
3CJ99vSipFi9z11UdbdZWfNKjywJnY<wbr>8sT8<br>
______________________________<wbr>_________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundat<wbr>ion.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.<wbr>org=
/mailman/listinfo/bitcoin-d<wbr>ev</a><br>
</blockquote></div><br><br clear=3D"all"><div><br></div>-- <br><div class=
=3D"gmail_signature" data-smartmail=3D"gmail_signature"><div dir=3D"ltr">Ma=
t=C3=ADas Alejo Garcia<br>@ematiu<br>Roads? Where we're going, we don&#=
39;t need roads!</div></div>
</div>
--94eb2c04c9329420db0569343817--
|
