Source: www.schneier.com – Author: Bruce Schneier
Comments
Clive Robinson •
@ Bruce,
If I remember rightly it was 94 or 95 when you wrote about the lack of entropy in a well known browser of the time. They had also decided to keep it hidden via “security by obscurity”.
If memory serves it used only SysTime, ProcID and UsrID (So next to no entropy either).
These people are doing even less…
That’s just under 30years that this has been publically known to be not just a very bad idea, but totally insecure.
As this is in a “financial application” and millions if not billions of dollars could be expected to be held behind it…
It’s difficult not to go to “Malice” rather than “incompetence”.
Speaking of which, who remembers the 2008 Debian line deleation followed by the even worse clean up that got immortalized by XKCD 424,
David in Toronto •
So to summarize, they use a more secure algorthim seeded with a small seed and an insecure PRNG.
Or to use the puffed rice analogy, the seed is the number of a single grain of rice in a bag that they boil up to fill an entire gigantic swimming pool! They mistakenly thought they have the security of guessing a single grain of rice in the entire pool. But in reality you still only need to try all the numbers in the small bag.
Classic DIY problem.
iAPX •
Even with a hard-drive to do the lookup with public-key hashmap and storing related 2^32 private keys, a basic computer could identify exposed wallets faster than it could generate the transactions, knowing how much is in each wallet because it’s exposed through the blockchain! lol!
This is humongous!
There might be billions at stake, only for a flawed PRNG.
And you don’t really know if the software stack that you use, on your smartphone usually or in your computer, use this libbitcoin that seems very popular!
I have very mixed feeling about crypto-currencies and bitcoin specifically, but wasn’t expecting what it looks like a serious supply chain attack…
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Original Post URL: https://www.schneier.com/blog/archives/2023/08/cryptographic-flaw-in-libbitcoin-explorer-cryptocurrency-wallet.html
Category & Tags: Uncategorized,cryptocurrency,keys,random numbers – Uncategorized,cryptocurrency,keys,random numbers