Skip to content

Commit

Permalink
try to avoid key compromise from entropy failures
Browse files Browse the repository at this point in the history 
http://www.imperialviolet.org/2013/06/15/suddendeathentropy.html
  • Loading branch information
@arlolra
arlolra committed Jun 15, 2013
1 parent a838380 commit 8a1c8fa
Showing 1 changed file with 21 additions and 5 deletions.
26 changes: 21 additions & 5 deletions lib/dsa.js
View file
Original file line number Original file line Diff line number Diff line change
Expand Up @@ -75,7 +75,6 @@
var bit_lengths = { var bit_lengths = {
'1024': { N: 160, repeat: 40 } // 40x should give 2^-80 confidence '1024': { N: 160, repeat: 40 } // 40x should give 2^-80 confidence
, '2048': { N: 224, repeat: 56 } , '2048': { N: 224, repeat: 56 }
, '3072': { N: 256, repeat: 64 }
} }


var primes = {} var primes = {}
Expand Down Expand Up @@ -205,16 +204,33 @@
return str.toString(CryptoJS.enc.Base64) return str.toString(CryptoJS.enc.Base64)
}, },


// http://www.imperialviolet.org/2013/06/15/suddendeathentropy.html
generateNonce: function (m) {
var priv = HLP.bigInt2bits(BigInt.trim(this.x, 0))
var rand = HLP.bigInt2bits(BigInt.randBigInt(256))

var sha256 = CryptoJS.algo.SHA256.create()
sha256.update(CryptoJS.enc.Latin1.parse(priv))
sha256.update(m)
sha256.update(CryptoJS.enc.Latin1.parse(rand))

var hash = sha256.finalize()
hash = HLP.bits2bigInt(hash.toString(CryptoJS.enc.Latin1))
BigInt.rightShift_(hash, 256 - BigInt.bitSize(this.q))

return HLP.between(hash, ZERO, this.q) ? hash : this.generateNonce(m)
},

sign: function (m) { sign: function (m) {
m = CryptoJS.enc.Latin1.parse(m) // CryptoJS.SHA1(m) m = CryptoJS.enc.Latin1.parse(m)
m = BigInt.str2bigInt(m.toString(CryptoJS.enc.Hex), 16) var b = BigInt.str2bigInt(m.toString(CryptoJS.enc.Hex), 16)
var k, r = ZERO, s = ZERO var k, r = ZERO, s = ZERO
while (BigInt.isZero(s) || BigInt.isZero(r)) { while (BigInt.isZero(s) || BigInt.isZero(r)) {
k = makeRandom(ZERO, this.q) k = this.generateNonce(m)
r = BigInt.mod(BigInt.powMod(this.g, k, this.p), this.q) r = BigInt.mod(BigInt.powMod(this.g, k, this.p), this.q)
if (BigInt.isZero(r)) continue if (BigInt.isZero(r)) continue
s = BigInt.inverseMod(k, this.q) s = BigInt.inverseMod(k, this.q)
s = BigInt.mult(s, BigInt.add(m, BigInt.mult(this.x, r))) s = BigInt.mult(s, BigInt.add(b, BigInt.mult(this.x, r)))
s = BigInt.mod(s, this.q) s = BigInt.mod(s, this.q)
} }
return [r, s] return [r, s]
Expand Down

2 comments on commit 8a1c8fa

@nadimkobeissi
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very interesting. Just finished reading Adam Langley's post. I haven't checked whether your implementation is 100% according to his specifications, but this seems like a smart idea actually.

@arlolra
Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For reference: https://twitter.com/agl__/status/348067090294521856

Please sign in to comment.