Investigate possible encoding problem #22

r-marques · 2016-09-06T11:58:38Z

r-marques · 2016-09-13T16:36:02Z

This is issue seems to be related to week the use of weak keys in ed25519 see jedisct1/libsodium#112

This is possible if the attacker is able to control the public key, the signature and the message to be signed. For bigchaindb the clients can choose their public keys and do provide the signature, but the message is the transaction itself. I don't think it would be possible to forge a transaction such that a signature would verify in this case.

But just to be sure I think we should switch to [NaCL][https://nacl.cr.yp.to/] since it has a good reputation and libsodium is under active development and there are good python bindings for it.

libsodium does blacklist public keys and returns a bad signature error if a weak public key is being used https://github.com/jedisct1/libsodium/blob/22ab28be0a80878452836c08161a26005c460630/src/libsodium/crypto_sign/ed25519/ref10/open.c#L38

r-marques self-assigned this Sep 6, 2016

sohkai mentioned this issue Sep 9, 2016

ed25519_generate_key_pair should return decoded strings #23

Closed

r-marques mentioned this issue Sep 28, 2016

Fix encoding problem #28

Merged

1 task

r-marques added the z: dummy-label-for-waffle label Sep 28, 2016

r-marques closed this as completed in #28 Oct 4, 2016

r-marques removed the z: dummy-label-for-waffle label Oct 4, 2016

diminator mentioned this issue Oct 13, 2016

Ed25519VerifyingKey bug bigchaindb/bigchaindb#617

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Investigate possible encoding problem #22

Investigate possible encoding problem #22

r-marques commented Sep 6, 2016

r-marques commented Sep 13, 2016

Investigate possible encoding problem #22

Investigate possible encoding problem #22

Comments

r-marques commented Sep 6, 2016

r-marques commented Sep 13, 2016