That is super lucky. They didn’t break the crypto, they broke the PRNG. Amateur ...

fallingsquirrel · 2024-05-29T02:25:19 1716949519

To be fair, this was not a wallet bug. It was a bug in an unrelated password manager.

demondemidi · 2024-05-29T15:55:36 1716998136

Ah good point. Thanks.

AlotOfReading · 2024-05-29T01:12:52 1716945172

Almost all cryptosystems are broken by implementation issues, not attacks on the algorithms themselves. This may be a particularly straightforward attack, but crypto is hard. There's a lot of details you have to get right and a single mistake can destroy all the effort, regardless of how much else you got right.

ipython · 2024-05-29T01:33:43 1716946423

This happens all the time. If I had a nickel for every system I broke with a time based prng, I’d have like 10 bucks by now.

udev4096 · 2024-05-29T08:22:09 1716970929

What's the most random and wildly known way, apart from time based, to pick a seed value then?

koliber · 2024-05-29T12:01:48 1716984108

Combine the time with some other incremental hard-to-predict inputs.

Start with the time, in the milliseconds (not seconds, i.e. epoch time). Use that seed to create a random number. That random number is now your master_seed.

Once every 10 seconds, measure the temperature of the CPU, and every other temperature sensor in the system, and put that into a new random seed. Create a random number using this seed. XOR it with the mast_seed and store it as the new masted_seed.

Every time someone moves a mouse, use the timestamp and the pixel offset to update the master_seed similarly as above.

Every time a packet comes into the ethernet interface, use the timestamp and a hash of the packet contents, and update the random seed.

XOR the contents of the video buffer.

Track the timing of keyboard clicks.

There are lots of sources of entropy that you can use to make the seed effectively unguessable.

ipython · 2024-05-29T14:13:36 1716992016

just like anything else with cryptography, please don't roll your own. all major OSes and programming languages provide primitives to generate cryptographically strong random numbers- use that instead.

koliber · 2024-05-29T14:48:05 1716994085

Yes!

I was hoping to illustrate the the grandparent post where more entropy can come from.

oniony · 2024-05-29T10:00:04 1716976804

I'm guessing "wildly known" was a typo, but I'll bite onto that type anyway and put forward https://en.wikipedia.org/wiki/Lavarand and Cloudfare's pendulums https://blog.cloudflare.com/harnessing-office-chaos.

demondemidi · 2024-05-29T15:56:12 1716998172

Seed? Use a TRNG. Every embedded processor (nearly) has a NIST qualified TRNG. Ring-oscillator for entropy, plus conditioning (whitening), there's your seed. Sometimes amplified thermal noise, but the ROSC is the easiest to manufacture.

ipython · 2024-05-29T11:58:40 1716983920

From a developers point of view- if you are given an option to provide a seed value, you’re using the wrong api. Libraries exist to provide cryptographically appropriate rngs in every major programming language- use those instead.