1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
|
Return-Path: <mus@musalbas.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 7CF15DA7
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 9 Apr 2018 23:39:20 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from algebra.musalbas.com (algebra.musalbas.com [163.172.28.238])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 55DDE671
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 9 Apr 2018 23:39:19 +0000 (UTC)
Received: from [10.15.0.6] (unknown [10.15.0.6])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by algebra.musalbas.com (Postfix) with ESMTPSA id 3093512C01AF;
Tue, 10 Apr 2018 01:39:17 +0200 (CEST)
To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>,
Matias Alejo Garcia <ematiu@gmail.com>,
ketamine@national.shitposting.agency
References: <84976adb75bef1dfdb12b98c19811278@national.shitposting.agency>
<CA+vKqYc3X6ZjVNXs0xgsLGekxPCTcLZj7t2vkyBOV_o=2C2qPA@mail.gmail.com>
<921edfdb-e0e5-8ce4-55d8-ba4e84ef633f@musalbas.com>
<010e34a3-f9cf-fba1-5482-de06bc350d64@musalbas.com>
From: Mustafa Al-Bassam <mus@musalbas.com>
Message-ID: <69fb5cc4-7b3d-e23d-2b7e-cddcd7b2877b@musalbas.com>
Date: Tue, 10 Apr 2018 00:39:15 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <010e34a3-f9cf-fba1-5482-de06bc350d64@musalbas.com>
Content-Type: multipart/alternative;
boundary="------------531ED1744281DB8D4C1A1A08"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=musalbas.com; s=dkim;
t=1523317157; bh=vZVGsunnPeZvDx/bghvgC5zBeZIMMeOKQh7nJuWA/48=;
h=Subject:To:References:From:Message-ID:Date:MIME-Version:In-Reply-To:Content-Type;
b=rfqqua7M8iHaxcJGQSd7sITK6USSiPjW+IDb7UnDC50IkO1sYcCdqQr387fPGhkpq7CqS6gP1aV1WxBqU6AmcKLFYOSyruJ36o1U363oFnrDTHh6lnrPeXF0NKdOlnP6gAKaERtpPN6pIk3JT4d0wf7PVCgu97EtXPhiKn+mxD0=
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Subject: Re: [bitcoin-dev] KETAMINE: Multiple vulnerabilities in
SecureRandom(), numerous cryptocurrency products affected.
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Apr 2018 23:39:20 -0000
This is a multi-part message in MIME format.
--------------531ED1744281DB8D4C1A1A08
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
The original disclosure didn't contain any information about the library
in question, so I did some digging.
I think that the vulnerability disclosure is referring to a pre-2013
version of jsbn, a JavaScript crypto library. Before it used the CSRNG
in the Web Crypto API, it tried to use nsIDOMCrypto, but incorrectly did
a string comparison when checking the browser version.
In practice though, this doesn't really matter, because
navigator.appVersion < "5" returns true anyway for old browsers. The
real issue is that modern browsers don't have window.crypto.random
defined, so Bitcoin wallets using a pre-2013 version of jsbn may not be
using a CSPRNG, when run on a modern browser.
As is noted though, even if a CSPRNG is used, the library passes the
output of the CSPRNG through RC4, which generates some biased bits,
leading to possible private key recovery.
On 09/04/18 22:17, Mustafa Al-Bassam via bitcoin-dev wrote:
>
> And specifically, here's a version of it that uses Arcfour:
> https://gist.github.com/jonls/5230850
>
>
> On 09/04/18 22:11, Mustafa Al-Bassam wrote:
>>
>> Here's the code in question: https://github.com/jasondavies/jsbn/pull/7
>>
>> Best,
>>
>> Mustafa
>>
>>
>> On 06/04/18 21:51, Matias Alejo Garcia via bitcoin-dev wrote:
>>> Source?
>>>
>>> On Fri, Apr 6, 2018 at 4:53 PM, ketamine--- via bitcoin-dev
>>> <bitcoin-dev@lists.linuxfoundation.org
>>> <mailto:bitcoin-dev@lists.linuxfoundation.org>> wrote:
>>>
>>> A significant number of past and current cryptocurrency products
>>> contain a JavaScript class named SecureRandom(), containing both
>>> entropy collection and a PRNG. The entropy collection and the RNG
>>> itself are both deficient to the degree that key material can be
>>> recovered by a third party with medium complexity. There are a
>>> substantial number of variations of this SecureRandom() class in
>>> various pieces of software, some with bugs fixed, some with
>>> additional
>>> bugs added. Products that aren't today vulnerable due to moving to
>>> other libraries may be using old keys that have been previously
>>> compromised by usage of SecureRandom().
>>>
>>>
>>> The most common variations of the library attempts to collect
>>> entropy
>>> from window.crypto's CSPRNG, but due to a type error in a comparison
>>> this function is silently stepped over without failing. Entropy is
>>> subsequently gathered from math.Random (a 48bit linear congruential
>>> generator, seeded by the time in some browsers), and a single
>>> execution of a medium resolution timer. In some known configurations
>>> this system has substantially less than 48 bits of entropy.
>>>
>>> The core of the RNG is an implementation of RC4 ("arcfour random"),
>>> and the output is often directly used for the creation of
>>> private key
>>> material as well as cryptographic nonces for ECDSA signatures.
>>> RC4 is
>>> publicly known to have biases of several bits, which are likely
>>> sufficient for a lattice solver to recover a ECDSA private key
>>> given a
>>> number of signatures. One popular Bitcoin web wallet re-initialized
>>> the RC4 state for every signature which makes the biases
>>> bit-aligned,
>>> but in other cases the Special K would be manifest itself over
>>> multiple transactions.
>>>
>>>
>>> Necessary action:
>>>
>>> * identify and move all funds stored using SecureRandom()
>>>
>>> * rotate all key material generated by, or has come into contact
>>> with any piece of software using SecureRandom()
>>>
>>> * do not write cryptographic tools in non-type safe languages
>>>
>>> * don't take the output of a CSPRNG and pass it through RC4
>>>
>>> -
>>> 3CJ99vSipFi9z11UdbdZWfNKjywJnY8sT8
>>> _______________________________________________
>>> bitcoin-dev mailing list
>>> bitcoin-dev@lists.linuxfoundation.org
>>> <mailto:bitcoin-dev@lists.linuxfoundation.org>
>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>> <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>
>>>
>>>
>>>
>>>
>>> --
>>> Matías Alejo Garcia
>>> @ematiu
>>> Roads? Where we're going, we don't need roads!
>>>
>>>
>>> _______________________________________________
>>> bitcoin-dev mailing list
>>> bitcoin-dev@lists.linuxfoundation.org
>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>
>
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
--------------531ED1744281DB8D4C1A1A08
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: 8bit
<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>The original disclosure didn't contain any information about the
library in question, so I did some digging.<br>
<br>
I think that the vulnerability disclosure is referring to a
pre-2013 version of jsbn, a JavaScript crypto library. Before it
used the CSRNG in the Web Crypto API, it tried to use
nsIDOMCrypto, but incorrectly did a string comparison when
checking the browser version.<br>
<br>
In practice though, this doesn't really matter, because
navigator.appVersion < "5" returns true anyway for old
browsers. The real issue is that modern browsers don't have
window.crypto.random defined, so Bitcoin wallets using a pre-2013
version of jsbn may not be using a CSPRNG, when run on a modern
browser.<br>
<br>
As is noted though, even if a CSPRNG is used, the library passes
the output of the CSPRNG through RC4, which generates some biased
bits, leading to possible private key recovery.</p>
<br>
<div class="moz-cite-prefix">On 09/04/18 22:17, Mustafa Al-Bassam
via bitcoin-dev wrote:<br>
</div>
<blockquote
cite="mid:010e34a3-f9cf-fba1-5482-de06bc350d64@musalbas.com"
type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<p>And specifically, here's a version of it that uses Arcfour: <a
moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://gist.github.com/jonls/5230850">https://gist.github.com/jonls/5230850</a><br>
</p>
<br>
<div class="moz-cite-prefix">On 09/04/18 22:11, Mustafa Al-Bassam
wrote:<br>
</div>
<blockquote
cite="mid:921edfdb-e0e5-8ce4-55d8-ba4e84ef633f@musalbas.com"
type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<p>Here's the code in question: <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://github.com/jasondavies/jsbn/pull/7">https://github.com/jasondavies/jsbn/pull/7</a></p>
<p>Best,<br>
</p>
<p>Mustafa<br>
</p>
<br>
<div class="moz-cite-prefix">On 06/04/18 21:51, Matias Alejo
Garcia via bitcoin-dev wrote:<br>
</div>
<blockquote
cite="mid:CA+vKqYc3X6ZjVNXs0xgsLGekxPCTcLZj7t2vkyBOV_o=2C2qPA@mail.gmail.com"
type="cite">
<div dir="ltr">Source? </div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Apr 6, 2018 at 4:53 PM,
ketamine--- via bitcoin-dev <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:bitcoin-dev@lists.linuxfoundation.org"
target="_blank">bitcoin-dev@lists.linuxfoundation.org</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">A
significant number of past and current cryptocurrency
products<br>
contain a JavaScript class named SecureRandom(),
containing both<br>
entropy collection and a PRNG. The entropy collection
and the RNG<br>
itself are both deficient to the degree that key
material can be<br>
recovered by a third party with medium complexity. There
are a<br>
substantial number of variations of this SecureRandom()
class in<br>
various pieces of software, some with bugs fixed, some
with additional<br>
bugs added. Products that aren't today vulnerable due to
moving to<br>
other libraries may be using old keys that have been
previously<br>
compromised by usage of SecureRandom().<br>
<br>
<br>
The most common variations of the library attempts to
collect entropy<br>
from window.crypto's CSPRNG, but due to a type error in
a comparison<br>
this function is silently stepped over without failing.
Entropy is<br>
subsequently gathered from math.Random (a 48bit linear
congruential<br>
generator, seeded by the time in some browsers), and a
single<br>
execution of a medium resolution timer. In some known
configurations<br>
this system has substantially less than 48 bits of
entropy.<br>
<br>
The core of the RNG is an implementation of RC4
("arcfour random"),<br>
and the output is often directly used for the creation
of private key<br>
material as well as cryptographic nonces for ECDSA
signatures. RC4 is<br>
publicly known to have biases of several bits, which are
likely<br>
sufficient for a lattice solver to recover a ECDSA
private key given a<br>
number of signatures. One popular Bitcoin web wallet
re-initialized<br>
the RC4 state for every signature which makes the biases
bit-aligned,<br>
but in other cases the Special K would be manifest
itself over<br>
multiple transactions.<br>
<br>
<br>
Necessary action:<br>
<br>
* identify and move all funds stored using
SecureRandom()<br>
<br>
* rotate all key material generated by, or has come
into contact<br>
with any piece of software using SecureRandom()<br>
<br>
* do not write cryptographic tools in non-type safe
languages<br>
<br>
* don't take the output of a CSPRNG and pass it
through RC4<br>
<br>
-<br>
3CJ99vSipFi9z11UdbdZWfNKjywJnY<wbr>8sT8<br>
______________________________<wbr>_________________<br>
bitcoin-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:bitcoin-dev@lists.linuxfoundation.org"
target="_blank">bitcoin-dev@lists.linuxfoundat<wbr>ion.org</a><br>
<a moz-do-not-send="true"
href="https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev"
rel="noreferrer" target="_blank">https://lists.linuxfoundation.<wbr>org/mailman/listinfo/bitcoin-d<wbr>ev</a><br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail_signature"
data-smartmail="gmail_signature">
<div dir="ltr">Matías Alejo Garcia<br>
@ematiu<br>
Roads? Where we're going, we don't need roads!</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
bitcoin-dev mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@lists.linuxfoundation.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev">https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev</a>
</pre>
</blockquote>
<br>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
bitcoin-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@lists.linuxfoundation.org</a>
<a class="moz-txt-link-freetext" href="https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev">https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>
--------------531ED1744281DB8D4C1A1A08--
|
