The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,975 other subscribers

Avoid writing the deep security layers of your software yourself, as it is hard, even for seasoned security software developers (see CVE-2021-41117 | GitHub Security Lab)

Posted by jpluimers on 2022/09/08

I’ve mentioned this in the past, but not sure I did that on my blog yet, so here it goes:

Avoid writing the deep security layers of your software yourself, as it is hard, even for seasoned security software developers.

Push as much as you can to well tested external libraries.

See for instance [Wayback/Archive.is] GHSL-2021-1012: Poor random number generation in keypair – CVE-2021-41117 | GitHub Security Lab

Three went wrong, leading to easy to guess RSA security keys:

  1. The library has an insecure random number fallback path. Ideally the library would require a strong CSPRNG instead of attempting to use a LCG and Math.random.
  2. The library does not correctly use a strong random number generator when run in NodeJS, even though a strong CSPRNG is available.
  3. The fallback path has an issue in the implementation where a majority of the seed data is going to effectively be zero.

The most important thing that went wrong was seeding the random number generator, cascading

Via:

–jeroen

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

 
%d bloggers like this: