Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Audit cryptography #23

Open
ryanxcharles opened this issue Jan 5, 2015 · 2 comments
Open

Audit cryptography #23

ryanxcharles opened this issue Jan 5, 2015 · 2 comments

Comments

@ryanxcharles
Copy link
Contributor

There was recently a serious error discovered in one of fullnode's dependencies. See this commit for information:

dbeab00

This reminds us that the cryptography in fullnode, both in the depencies and in the library itself, largely consist of recently-written cryptography that has not been properly audited. This issue is to contain the problem of "auditing the cryptography" and keep track of the progress made on this goal.

First, let's just list the dependencies that need to be audited:

  • bn.js
  • elliptic (particularly the secp256k1 code)
  • hash.js
  • aes
  • bs58
  • pbkdf2-compat
  • node-crypto
  • browserify-crypto

Second, all of the cryptography in fullnode needs to be audited.

"Auditing" is a somewhat vague goal, but I will propose two passes:

Pass 1: Review every line of source code, identify edge cases, confirm that test vectors exist that test the edge cases, or write new test vectors that test the edge cases. Furthermore, identify all standard test vectors and include those.

Pass 2: Re-implement all of the cryptography a second time, identify edge cases in the new implementation, write tests for them, then confirm that the old code passes the new tests (or fix any issues that arise). If there is reason to believe the new cryptography is better, then replace the old cryptography with the new cryptography.

Both passes should be performed on all cryptography dependencies and for all cryptography directly contained in the library.
@ryanxcharles ryanxcharles mentioned this issue Jan 5, 2015
Closed
@ryanxcharles
Copy link
Contributor Author

Greg Maxwell recently revealed that the development of libsecp256k1 revealed a bug in OpenSSL's big number squaring. They uncovered this bug by running specialized random tests around edge cases that were likely to contain bugs. We should run the same randomized tests on bn.js and elliptic to see if we can catch similar bugs.

ryanxcharles added a commit that referenced this issue Jan 12, 2015
@ryanxcharles
replace buffer hex string comparisons with cmp
5ffa0af 
In order to compare buffers, fullnode had been exclusively using node's
toString('hex') function and then doing a string comparison. This method is
subject to timing attacks for any cryptography-sensitive code. We replace all
such instances with the cmp.eq function which is constant-time.

Related issue: #23
@ryanxcharles
Copy link
Contributor Author

I have replaced all the string comparisons I could find with constant-time buffer comparisons in 5ffa0af , which should be resistant to timing attacks. I've noticed the bn.cmp method from bn.js is variable-time, so that should be either replaced with a constant-time version, or augmented with another version that is constant-time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ryanxcharles