<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>And specifically, here's a version of it that uses Arcfour:
<a class="moz-txt-link-freetext" href="https://gist.github.com/jonls/5230850">https://gist.github.com/jonls/5230850</a><br>
</p>
<br>
<div class="moz-cite-prefix">On 09/04/18 22:11, Mustafa Al-Bassam
wrote:<br>
</div>
<blockquote
cite="mid:921edfdb-e0e5-8ce4-55d8-ba4e84ef633f@musalbas.com"
type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<p>Here's the code in question: <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://github.com/jasondavies/jsbn/pull/7">https://github.com/jasondavies/jsbn/pull/7</a></p>
<p>Best,<br>
</p>
<p>Mustafa<br>
</p>
<br>
<div class="moz-cite-prefix">On 06/04/18 21:51, Matias Alejo
Garcia via bitcoin-dev wrote:<br>
</div>
<blockquote
cite="mid:CA+vKqYc3X6ZjVNXs0xgsLGekxPCTcLZj7t2vkyBOV_o=2C2qPA@mail.gmail.com"
type="cite">
<div dir="ltr">Source? </div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Apr 6, 2018 at 4:53 PM,
ketamine--- via bitcoin-dev <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:bitcoin-dev@lists.linuxfoundation.org"
target="_blank">bitcoin-dev@lists.linuxfoundation.org</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">A
significant number of past and current cryptocurrency
products<br>
contain a JavaScript class named SecureRandom(),
containing both<br>
entropy collection and a PRNG. The entropy collection and
the RNG<br>
itself are both deficient to the degree that key material
can be<br>
recovered by a third party with medium complexity. There
are a<br>
substantial number of variations of this SecureRandom()
class in<br>
various pieces of software, some with bugs fixed, some
with additional<br>
bugs added. Products that aren't today vulnerable due to
moving to<br>
other libraries may be using old keys that have been
previously<br>
compromised by usage of SecureRandom().<br>
<br>
<br>
The most common variations of the library attempts to
collect entropy<br>
from window.crypto's CSPRNG, but due to a type error in a
comparison<br>
this function is silently stepped over without failing.
Entropy is<br>
subsequently gathered from math.Random (a 48bit linear
congruential<br>
generator, seeded by the time in some browsers), and a
single<br>
execution of a medium resolution timer. In some known
configurations<br>
this system has substantially less than 48 bits of
entropy.<br>
<br>
The core of the RNG is an implementation of RC4 ("arcfour
random"),<br>
and the output is often directly used for the creation of
private key<br>
material as well as cryptographic nonces for ECDSA
signatures. RC4 is<br>
publicly known to have biases of several bits, which are
likely<br>
sufficient for a lattice solver to recover a ECDSA private
key given a<br>
number of signatures. One popular Bitcoin web wallet
re-initialized<br>
the RC4 state for every signature which makes the biases
bit-aligned,<br>
but in other cases the Special K would be manifest itself
over<br>
multiple transactions.<br>
<br>
<br>
Necessary action:<br>
<br>
* identify and move all funds stored using
SecureRandom()<br>
<br>
* rotate all key material generated by, or has come into
contact<br>
with any piece of software using SecureRandom()<br>
<br>
* do not write cryptographic tools in non-type safe
languages<br>
<br>
* don't take the output of a CSPRNG and pass it through
RC4<br>
<br>
-<br>
3CJ99vSipFi9z11UdbdZWfNKjywJnY<wbr>8sT8<br>
______________________________<wbr>_________________<br>
bitcoin-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:bitcoin-dev@lists.linuxfoundation.org"
target="_blank">bitcoin-dev@lists.linuxfoundat<wbr>ion.org</a><br>
<a moz-do-not-send="true"
href="https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev"
rel="noreferrer" target="_blank">https://lists.linuxfoundation.<wbr>org/mailman/listinfo/bitcoin-d<wbr>ev</a><br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">Matías Alejo Garcia<br>
@ematiu<br>
Roads? Where we're going, we don't need roads!</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
bitcoin-dev mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@lists.linuxfoundation.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev">https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev</a>
</pre>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>