Re: Understanding SJCL random bug exposure

[Mike Hamburg]

Hi Chris,

You're also exposed from SJCL methods that call random internally. The symmetric ones do this for salt and nonce generation, but those mostly just have to be unique, so the random bug doesn't break them. But the ECC routines call it too, and they really need their randomness. So if you haven't changed the code for eg ECDSA sign (or getrandomwords itself), and you're using it, the you're exposed.

Cheers,
Mike

(Typed clumsily on a phone, sorry.)

Chris Templin <ctem...@gmail.com> wrote:

Hello,

I'm assessing our exposure to the recently patched bug in SJCL random. Can someone please confirm/refute my conclusion?

As I understand it, this was only an issue if SJCL was used as an interface to the browser's native crypto. Our code detects the availability of crypto.getRandomValues and calls it directly, only using sjcl.random.randomWords as a fallback if native crypto isn't available. So, it seems to me we've been insulated from this vulnerability all along. Am I interpreting this correctly?

Thanks in advance for your insight.

-Chris

[Chris Templin]

Mike,

Thanks for this helpful clarification. We're not using the SJCL ECC object at all and have not include that script in our application. Of course, I'll revisit this issue if we make use of ECC in the future, but for now I'm still confident that we've avoided this vulnerability. Your insight is much appreciated.

Best,

Chris

[Mike Hamburg]

Good to hear, and sorry for the: inconvenience.

Cheers,
-- Mike