Credits / Found by Jean-Philippe Aumasson: https://github.com/veorq
KeyID::generatePrivateKey() relies on random_buffer(), which uses tinyMT32 as its PRNG. The PRNG is initialized only once using a 32-bit seed derived from micros().
This is not a cryptographically secure RNG, and the 32-bit timer seed makes the generated private keys predictable and brute-forceable. All keys produced by the current implementation are vulnerable. A hardware CSPRNG or proper DRBG must be used instead.
Links:
|
void KeyID::generatePrivateKey(Web3* web3) |
|
{ |
|
random_buffer(privateKeyBytes, ETHERS_PRIVATEKEY_LENGTH); |
|
static int initialized = 0; |
|
if (!initialized) { |
|
tinymt32_init(&tinymt, (uint32_t)micros()); |
Credits / Found by Jean-Philippe Aumasson: https://github.com/veorq
KeyID::generatePrivateKey()relies onrandom_buffer(), which usestinyMT32as its PRNG. The PRNG is initialized only once using a 32-bit seed derived frommicros().This is not a cryptographically secure RNG, and the 32-bit timer seed makes the generated private keys predictable and brute-forceable. All keys produced by the current implementation are vulnerable. A hardware CSPRNG or proper DRBG must be used instead.
Links:
Web3E/src/KeyID.cpp
Lines 48 to 50 in c19324c
Web3E/src/Trezor/rand.c
Lines 362 to 364 in c19324c