Permalink
Browse files

try to avoid key compromise from entropy failures

  • Loading branch information...
arlolra committed Jun 15, 2013
1 parent a838380 commit 8a1c8fa845f3120669c1177b34d61edd0a7194c0
Showing with 21 additions and 5 deletions.
  1. +21 −5 lib/dsa.js
@@ -75,7 +75,6 @@
var bit_lengths = {
'1024': { N: 160, repeat: 40 } // 40x should give 2^-80 confidence
, '2048': { N: 224, repeat: 56 }
, '3072': { N: 256, repeat: 64 }
}

var primes = {}
@@ -205,16 +204,33 @@
return str.toString(CryptoJS.enc.Base64)
},

// http://www.imperialviolet.org/2013/06/15/suddendeathentropy.html
generateNonce: function (m) {
var priv = HLP.bigInt2bits(BigInt.trim(this.x, 0))
var rand = HLP.bigInt2bits(BigInt.randBigInt(256))

var sha256 = CryptoJS.algo.SHA256.create()
sha256.update(CryptoJS.enc.Latin1.parse(priv))
sha256.update(m)
sha256.update(CryptoJS.enc.Latin1.parse(rand))

var hash = sha256.finalize()
hash = HLP.bits2bigInt(hash.toString(CryptoJS.enc.Latin1))
BigInt.rightShift_(hash, 256 - BigInt.bitSize(this.q))

return HLP.between(hash, ZERO, this.q) ? hash : this.generateNonce(m)
},

sign: function (m) {
m = CryptoJS.enc.Latin1.parse(m) // CryptoJS.SHA1(m)
m = BigInt.str2bigInt(m.toString(CryptoJS.enc.Hex), 16)
m = CryptoJS.enc.Latin1.parse(m)
var b = BigInt.str2bigInt(m.toString(CryptoJS.enc.Hex), 16)
var k, r = ZERO, s = ZERO
while (BigInt.isZero(s) || BigInt.isZero(r)) {
k = makeRandom(ZERO, this.q)
k = this.generateNonce(m)
r = BigInt.mod(BigInt.powMod(this.g, k, this.p), this.q)
if (BigInt.isZero(r)) continue
s = BigInt.inverseMod(k, this.q)
s = BigInt.mult(s, BigInt.add(m, BigInt.mult(this.x, r)))
s = BigInt.mult(s, BigInt.add(b, BigInt.mult(this.x, r)))
s = BigInt.mod(s, this.q)
}
return [r, s]

2 comments on commit 8a1c8fa

@kaepora

This comment has been minimized.

Contributor

kaepora replied Jun 15, 2013

Very interesting. Just finished reading Adam Langley's post. I haven't checked whether your implementation is 100% according to his specifications, but this seems like a smart idea actually.

@arlolra

This comment has been minimized.

Owner

arlolra replied Jun 21, 2013

Please sign in to comment.