Indeed, this impacts jsbn only normally since all others from the time
getRandomValues was available are supposed to implement both
Le 10/04/2018 à 15:32, Jason Davies a écrit :
>>> Note that even with v1.4, it still does not use high-quality entropy for
>>> Internet Explorer, because
>> Note that even with v1.4, it still does not use high-quality entropy for
>> Internet Explorer, because getRandomValues is provided under window.msCrypto
>> for that browser.
>
> I don't know for that one, what was the issue?
I simply meant that Internet Explorer implements the Web Cryptography
I used jsbn in the past, then I made some research too
Apparently window.crypto.getRandomValues was introduced in jsbn mid 2012
(according to the wayback machine, but 2012/2013 does not make any
difference, see below), was available in Chrome since 2011 (but indeed
see
On 10 Apr 2018, at 00:39, m...@musalbas.com wrote:
> The original disclosure didn't contain any information about the library
> in question, so I did some digging.
>
> I think that the vulnerability disclosure is referring to a pre-2013
> version of jsbn, a JavaScript crypto library. Before it
These issues all stem from the RC4-based RNG implementation (with insecure
fallback entropy) in Tom Wu's jsbn library, published here:
http://www-cs-students.stanford.edu/~tjw/jsbn/
Please refer to Tom Wu's URL, or this more up-to-date fork of Tom Wu's code
(published to NPM):
The original disclosure didn't contain any information about the library
in question, so I did some digging.
I think that the vulnerability disclosure is referring to a pre-2013
version of jsbn, a JavaScript crypto library. Before it used the CSRNG
in the Web Crypto API, it tried to use
Here's the code in question: https://github.com/jasondavies/jsbn/pull/7
Best,
Mustafa
On 06/04/18 21:51, Matias Alejo Garcia via bitcoin-dev wrote:
> Source?
>
> On Fri, Apr 6, 2018 at 4:53 PM, ketamine--- via bitcoin-dev
>
And specifically, here's a version of it that uses Arcfour:
https://gist.github.com/jonls/5230850
On 09/04/18 22:11, Mustafa Al-Bassam wrote:
>
> Here's the code in question: https://github.com/jasondavies/jsbn/pull/7
>
> Best,
>
> Mustafa
>
>
> On 06/04/18 21:51, Matias Alejo Garcia via
Source?
On Fri, Apr 6, 2018 at 4:53 PM, ketamine--- via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> A significant number of past and current cryptocurrency products
> contain a JavaScript class named SecureRandom(), containing both
> entropy collection and a PRNG. The entropy