PRNG attack vector: How AirGap ensures a random seed phrase generation?
Exploring the PRNG Attack Vector in Crypto Security. Delve into the depths of this vulnerability and discover how AirGap’s innovative measures provide a fortified defense for your digital assets
The recent CVE-2023–39910 vulnerability has exposed a critical weakness in the Libbitcoin Explorer (bx) cryptocurrency wallet tool, particularly in its seed generation process. This vulnerability, with potentially disastrous consequences, underscores the importance of secure seed phrase generation in the world of cryptocurrencies. But what exactly is this PRNG attack vector, and how does AirGap’s cutting-edge solution provide an impervious defense? Let’s break it down in plain language.
PRNG Attack Vector Simply Explained
We don’t want you to scratch your heads while reading the technical details. Therefore, let’s understand the attack vector in a simple language.
Imagine you have a special tool called Libbitcoin Explorer (bx) that helps you manage your cryptocurrency wallet, like a digital wallet for your money. This tool is widely used, but it has a problem with its security.
The bx tool is like a password generator, but it’s not very good at ensuring complete randomness while generating your passwords. Therefore, bad people can predict your seed phrases and steal all your money.
This is exactly what happened to the Libbitcoin Explorer. It had a faulty key generation mechanism, allowing private keys to be guessed by attackers. As a result, attackers exploited this vulnerability to steal over $900,000 worth of crypto.
SlowMist identified the cybersecurity team “Distrust” as the team that originally discovered the loophole called the “Milk Sad” vulnerability. It was reported to the CEV cybersecurity vulnerability database on August 7th.
In terms of timeline, the primary theft event occurred around July 12, 2023, though preliminary exploitation might have commenced on a smaller scale in May 2023. A previous occurrence of a similar vulnerability in different wallet software, detected in November 2022 and subsequently exploited, could be considered a precursor to this incident.
Read the original article here — https://milksad.info/
What’s the solution to this issue and how does AirGap ensure complete randomness in seed phrase generation?
Right from the start, we’ve been on top of things when it comes to those tricky random number generators. We’ve taken security to the next level by incorporating multiple sources of randomness, including the camera, microphone, accelerometer, and even touch inputs. It’s like adding extra layers of protection to your secret recipe.
So, even if someone gets their hands on a wonky RNG, they still can’t sneak off with your secret recovery phrase in AirGap. Your crypto’s safe and sound with us! If you want to learn more about RNG and our Secure Key Generation setup have a look at our documentation.
There is more,
For enhanced randomness, advanced users can choose advanced entropy generation techniques like the dice roll or coin flip. The method involves taking user inputs to ensure total randomness. Here’s how it works:
The dice roll/coin flip feature is very simple. You have the option to employ dice or coin flips to create a specific sequence of inputs. For instance, if you opt for coin flips, you will require 256 flips to attain the necessary randomness or entropy for a 24-word mnemonic. Conversely, dice rolls necessitate 99 instances. It’s feasible to gather entropy manually, without any digital assistance, and record the results. AirGap Vault’s role in this process is solely to compute your mnemonic using the entropy you furnish. This process follows a deterministic pattern, enabling you to verify the accuracy of our implementation by comparing it with another wallet’s output, as it will consistently produce the same result.
Conclusion
In conclusion, AirGap’s paramount focus is on security, an ongoing commitment reflected in our continuous enhancement of top-tier security features. In our unwavering dedication to robust security, we leave no space for the potential shortcomings of random number generators (RNGs). This resolute approach has driven the implementation of the aforementioned dual security measures. We earnestly encourage all our users to embrace and deploy these measures, thereby fortifying their security to the maximum extent possible. Your security is our priority, and we stand committed to delivering nothing short of excellence in this realm
Download AirGap
AirGap Wallet
📱 iOS — App Store
📱 Android — Google Play (GitHub APK)
💻 macOS
💻 Windows
💻 Linux
AirGap Vault
📱 iOS — App Store
📱 Android — Google Play (GitHub APK)
Interested in AirGap? Stay in touch.
