Re: [bitcoin-dev] KETAMINE: Multiple vulnerabilities in SecureRandom(), numerous cryptocurrency products affected.

Indeed, this impacts jsbn only normally since all others from the time getRandomValues was available are supposed to implement both Le 10/04/2018 à 15:32, Jason Davies a écrit : >>> Note that even with v1.4, it still does not use high-quality entropy for >>> Internet Explorer, because

Re: [bitcoin-dev] KETAMINE: Multiple vulnerabilities in SecureRandom(), numerous cryptocurrency products affected.

>> Note that even with v1.4, it still does not use high-quality entropy for >> Internet Explorer, because getRandomValues is provided under window.msCrypto >> for that browser. > > I don't know for that one, what was the issue? I simply meant that Internet Explorer implements the Web Cryptography

Re: [bitcoin-dev] KETAMINE: Multiple vulnerabilities in SecureRandom(), numerous cryptocurrency products affected.

I used jsbn in the past, then I made some research too Apparently window.crypto.getRandomValues was introduced in jsbn mid 2012 (according to the wayback machine, but 2012/2013 does not make any difference, see below), was available in Chrome since 2011 (but indeed see

Re: [bitcoin-dev] KETAMINE: Multiple vulnerabilities in SecureRandom(), numerous cryptocurrency products affected.

On 10 Apr 2018, at 00:39, m...@musalbas.com wrote: > The original disclosure didn't contain any information about the library > in question, so I did some digging. > > I think that the vulnerability disclosure is referring to a pre-2013 > version of jsbn, a JavaScript crypto library. Before it

Re: [bitcoin-dev] KETAMINE: Multiple vulnerabilities in SecureRandom(), numerous cryptocurrency products affected.

These issues all stem from the RC4-based RNG implementation (with insecure fallback entropy) in Tom Wu's jsbn library, published here: http://www-cs-students.stanford.edu/~tjw/jsbn/ Please refer to Tom Wu's URL, or this more up-to-date fork of Tom Wu's code (published to NPM):

Re: [bitcoin-dev] KETAMINE: Multiple vulnerabilities in SecureRandom(), numerous cryptocurrency products affected.

The original disclosure didn't contain any information about the library in question, so I did some digging. I think that the vulnerability disclosure is referring to a pre-2013 version of jsbn, a JavaScript crypto library. Before it used the CSRNG in the Web Crypto API, it tried to use

Re: [bitcoin-dev] KETAMINE: Multiple vulnerabilities in SecureRandom(), numerous cryptocurrency products affected.

Here's the code in question: https://github.com/jasondavies/jsbn/pull/7 Best, Mustafa On 06/04/18 21:51, Matias Alejo Garcia via bitcoin-dev wrote: > Source? > > On Fri, Apr 6, 2018 at 4:53 PM, ketamine--- via bitcoin-dev >

Re: [bitcoin-dev] KETAMINE: Multiple vulnerabilities in SecureRandom(), numerous cryptocurrency products affected.

And specifically, here's a version of it that uses Arcfour: https://gist.github.com/jonls/5230850 On 09/04/18 22:11, Mustafa Al-Bassam wrote: > > Here's the code in question: https://github.com/jasondavies/jsbn/pull/7 > > Best, > > Mustafa > > > On 06/04/18 21:51, Matias Alejo Garcia via

Re: [bitcoin-dev] KETAMINE: Multiple vulnerabilities in SecureRandom(), numerous cryptocurrency products affected.

Source? On Fri, Apr 6, 2018 at 4:53 PM, ketamine--- via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > A significant number of past and current cryptocurrency products > contain a JavaScript class named SecureRandom(), containing both > entropy collection and a PRNG. The entropy