The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,915 other followers

Archive for September 8th, 2022

Avoid writing the deep security layers of your software yourself, as it is hard, even for seasoned security software developers (see CVE-2021-41117 | GitHub Security Lab)

Posted by jpluimers on 2022/09/08

I’ve mentioned this in the past, but not sure I did that on my blog yet, so here it goes:

Avoid writing the deep security layers of your software yourself, as it is hard, even for seasoned security software developers.

Push as much as you can to well tested external libraries.

See for instance [Wayback/Archive.is] GHSL-2021-1012: Poor random number generation in keypair – CVE-2021-41117 | GitHub Security Lab

Three went wrong, leading to easy to guess RSA security keys:

  1. The library has an insecure random number fallback path. Ideally the library would require a strong CSPRNG instead of attempting to use a LCG and Math.random.
  2. The library does not correctly use a strong random number generator when run in NodeJS, even though a strong CSPRNG is available.
  3. The fallback path has an issue in the implementation where a majority of the seed data is going to effectively be zero.

The most important thing that went wrong was seeding the random number generator, cascading

Via:

–jeroen

Posted in Development, Encryption, Hashing, Power User, Security, Software Development | Leave a Comment »

 
%d bloggers like this: