On 10 Apr 2018, at 00:39, m...@musalbas.com wrote: > The original disclosure didn't contain any information about the library > in question, so I did some digging. > > I think that the vulnerability disclosure is referring to a pre-2013 > version of jsbn, a JavaScript crypto library. Before it used the CSRNG > in the Web Crypto API, it tried to use nsIDOMCrypto, but incorrectly did > a string comparison when checking the browser version. > > In practice though, this doesn't really matter, because > navigator.appVersion < "5" returns true anyway for old browsers. The > real issue is that modern browsers don't have window.crypto.random > defined, so Bitcoin wallets using a pre-2013 version of jsbn may not be > using a CSPRNG, when run on a modern browser.
Yes, it looks like high-quality entropy via crypto.getRandomValues was only added in Tom Wu's latest version (v1.4) in July 2013. Note that even with v1.4, it still does not use high-quality entropy for Internet Explorer, because getRandomValues is provided under window.msCrypto for that browser. http://www-cs-students.stanford.edu/~tjw/jsbn/rng.js > As is noted though, even if a CSPRNG is used, the library passes the > output of the CSPRNG through RC4, which generates some biased bits, > leading to possible private key recovery. I think this is the real issue: even if high-quality entropy is utilised, the RNG is RC4-based, which is known to generate biased output. Finally, note that even Chrome used RC4 for crypto.getRandomValues at one point (as recently as 2015)! https://bugs.chromium.org/p/chromium/issues/detail?id=552749 -- Jason Davies, https://www.jasondavies.com/ _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev