{"id":6241,"date":"2018-04-11T18:37:10","date_gmt":"2018-04-11T18:37:10","guid":{"rendered":"https:\/\/davidgerard.co.uk\/blockchain\/?p=6241"},"modified":"2018-04-12T21:12:38","modified_gmt":"2018-04-12T21:12:38","slug":"javascript-securerandom-isnt-securely-random-most-web-wallets-affected-and-the-bug-was-warned-of-five-years-ago","status":"publish","type":"post","link":"https:\/\/davidgerard.co.uk\/blockchain\/2018\/04\/11\/javascript-securerandom-isnt-securely-random-most-web-wallets-affected-and-the-bug-was-warned-of-five-years-ago\/","title":{"rendered":"JavaScript SecureRandom() isn’t securely random \u2014 many old web wallets affected \u2014 and the bug was warned of five years ago (UPDATED)"},"content":{"rendered":"

Update:<\/b> The word “Most” in the original title of this post is incorrect — see details at end.<\/p>\n

\n

Cryptography is profoundly unforgiving of errors. You don’t mess with it. You don’t roll your own \u2014 you need battle-hardened algorithms that have been torture-tested by the most technically ruthless cryptographers you can find.<\/p>\n

And you stop using old cryptographic algorithms that have known weaknesses.<\/a> And you fix this sort of thing straight away<\/i>.<\/p>\n

Unless you’re in cryptocurrency, apparently.<\/p>\n

The popular JavaScript SecureRandom()<\/tt> library … isn\u2019t securely random.<\/a><\/p>\n

It will generate cryptographic keys that, despite their length, have less than 48 bits of entropy<\/a> \u2014 since JavaScript isn’t type safe,<\/a> there’s a bug in SecureRandom()<\/tt> such that it fails to use the browser’s window.crypto<\/a> … so it falls back to the cryptographically insecure Math.random()<\/tt>,<\/a> which is only pseudo-random,<\/a> and can generate no more than 248<\/sup> different values\u2014 so its output will have no more than 48 bits of entropy even if its seed<\/a> has more than that (which is unlikely). SecureRandom()<\/tt> then runs the number it gets through the obsolete RC4 algorithm,<\/a> which is known to be more predictable than it should be, i.e.<\/i> less bits of entropy. Thus, your key is more predictable:<\/p>\n

The conclusion seems to be that at least all wallets generated by js tools inside browsers since bitcoin exists until 2011 are impacted by the Math.random weakness if applicable to the related implementations, the Math.random or RC4 (Chrome) weakness between 2011 and 2013, and RC4 weakness for Chrome users until end of 2015<\/p>\n

And all wallets using jsbn are impacted by Math.random and RC4 until 2013 (or end 2015 for Chrome), then still by the RC4 fallback step after<\/p><\/blockquote>\n

What that means is that the keys will be predictable enough to crack<\/a> by sheer brute-force attack of computing power. You might think you have a key long enough that it can’t be cracked before the sun goes out \u2014 but it turns out you could do it in a week.<\/p>\n

So a\u00a0lot<\/em> of browser-based cryptocurrency products that still use SecureRandom()<\/tt> are generating keys that are open to being cracked.<\/p>\n

Check with your product’s author or vendor<\/strong> \u2014 there’s a real mess to clean up here.<\/p>\n

Like all good cryptocurrency bugs, this one isn’t new at all \u2014 here’s Greg Maxwell talking about it nearly three years ago<\/em><\/a> (51:00 on):<\/p>\n

 <\/p>\n