Skip to content
This repository has been archived by the owner on Nov 6, 2020. It is now read-only.

eth_sign(address, sha3(msg)) should be eth_sign(address, msg) #3297

Closed
tomusdrw opened this issue Nov 9, 2016 · 3 comments
Closed

eth_sign(address, sha3(msg)) should be eth_sign(address, msg) #3297

tomusdrw opened this issue Nov 9, 2016 · 3 comments
Assignees
@tomusdrw
Labels
F1-security 🛡 The client fails to follow expected, security-sensitive, behaviour. M4-core ⛓ Core client code / Rust.
Milestone
1.5 Nativity

Comments

@tomusdrw
Copy link
Collaborator

tomusdrw commented Nov 9, 2016

Hashing should be done internally to prevent chosen plaintext attacks.

See discussions here:
ethereum/go-ethereum#2940
@tomusdrw tomusdrw added F1-security 🛡 The client fails to follow expected, security-sensitive, behaviour. M4-core ⛓ Core client code / Rust. labels Nov 9, 2016
@tomusdrw tomusdrw changed the title eth_sign(address, hash) should be eth_sign(address, msg) eth_sign(address, sha3(msg)) should be eth_sign(address, msg) Nov 9, 2016
@gavofyork
Copy link
Contributor

happy enough with this, but not sure if it's really a badass attack strategy since it all has to go through the trusted signer anyway.

@gavofyork gavofyork added this to the 1.5 Tenuity milestone Nov 11, 2016
@gavofyork
Copy link
Contributor

@tomusdrw is this done already?

@tomusdrw
Copy link
Collaborator Author

Nope, not yet. Will do today.

@tomusdrw tomusdrw self-assigned this Dec 10, 2016
@tomusdrw tomusdrw mentioned this issue Dec 10, 2016
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@tomusdrw tomusdrw

Labels
F1-security 🛡 The client fails to follow expected, security-sensitive, behaviour. M4-core ⛓ Core client code / Rust.
Projects
None yet
Milestone
1.5 Nativity
Development

No branches or pull requests
2 participants
@gavofyork @tomusdrw