<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p>Here's the code in question:
      <a class="moz-txt-link-freetext" href="https://github.com/jasondavies/jsbn/pull/7">https://github.com/jasondavies/jsbn/pull/7</a></p>
    <p>Best,<br>
    </p>
    <p>Mustafa<br>
    </p>
    <br>
    <div class="moz-cite-prefix">On 06/04/18 21:51, Matias Alejo Garcia
      via bitcoin-dev wrote:<br>
    </div>
    <blockquote
cite="mid:CA+vKqYc3X6ZjVNXs0xgsLGekxPCTcLZj7t2vkyBOV_o=2C2qPA@mail.gmail.com"
      type="cite">
      <div dir="ltr">Source? </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Fri, Apr 6, 2018 at 4:53 PM,
          ketamine--- via bitcoin-dev <span dir="ltr">&lt;<a
              moz-do-not-send="true"
              href="mailto:bitcoin-dev@lists.linuxfoundation.org"
              target="_blank">bitcoin-dev@lists.linuxfoundation.org</a>&gt;</span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">A
            significant number of past and current cryptocurrency
            products<br>
            contain a JavaScript class named SecureRandom(), containing
            both<br>
            entropy collection and a PRNG. The entropy collection and
            the RNG<br>
            itself are both deficient to the degree that key material
            can be<br>
            recovered by a third party with medium complexity. There are
            a<br>
            substantial number of variations of this SecureRandom()
            class in<br>
            various pieces of software, some with bugs fixed, some with
            additional<br>
            bugs added. Products that aren't today vulnerable due to
            moving to<br>
            other libraries may be using old keys that have been
            previously<br>
            compromised by usage of SecureRandom().<br>
            <br>
            <br>
            The most common variations of the library attempts to
            collect entropy<br>
            from window.crypto's CSPRNG, but due to a type error in a
            comparison<br>
            this function is silently stepped over without failing.
            Entropy is<br>
            subsequently gathered from math.Random (a 48bit linear
            congruential<br>
            generator, seeded by the time in some browsers), and a
            single<br>
            execution of a medium resolution timer. In some known
            configurations<br>
            this system has substantially less than 48 bits of entropy.<br>
            <br>
            The core of the RNG is an implementation of RC4 ("arcfour
            random"),<br>
            and the output is often directly used for the creation of
            private key<br>
            material as well as cryptographic nonces for ECDSA
            signatures. RC4 is<br>
            publicly known to have biases of several bits, which are
            likely<br>
            sufficient for a lattice solver to recover a ECDSA private
            key given a<br>
            number of signatures. One popular Bitcoin web wallet
            re-initialized<br>
            the RC4 state for every signature which makes the biases
            bit-aligned,<br>
            but in other cases the Special K would be manifest itself
            over<br>
            multiple transactions.<br>
            <br>
            <br>
            Necessary action:<br>
            <br>
              * identify and move all funds stored using SecureRandom()<br>
            <br>
              * rotate all key material generated by, or has come into
            contact<br>
                with any piece of software using SecureRandom()<br>
            <br>
              * do not write cryptographic tools in non-type safe
            languages<br>
            <br>
              * don't take the output of a CSPRNG and pass it through
            RC4<br>
            <br>
            -<br>
            3CJ99vSipFi9z11UdbdZWfNKjywJnY<wbr>8sT8<br>
            ______________________________<wbr>_________________<br>
            bitcoin-dev mailing list<br>
            <a moz-do-not-send="true"
              href="mailto:bitcoin-dev@lists.linuxfoundation.org"
              target="_blank">bitcoin-dev@lists.linuxfoundat<wbr>ion.org</a><br>
            <a moz-do-not-send="true"
              href="https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev"
              rel="noreferrer" target="_blank">https://lists.linuxfoundation.<wbr>org/mailman/listinfo/bitcoin-d<wbr>ev</a><br>
          </blockquote>
        </div>
        <br>
        <br clear="all">
        <div><br>
        </div>
        -- <br>
        <div class="gmail_signature" data-smartmail="gmail_signature">
          <div dir="ltr">Matías Alejo Garcia<br>
            @ematiu<br>
            Roads? Where we're going, we don't need roads!</div>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
bitcoin-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@lists.linuxfoundation.org</a>
<a class="moz-txt-link-freetext" href="https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev">https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>