Bill Buchanan - A Novice Mistake: Meet Milk Sad … And The 32-bit Key!!!!!!
ASecuritySite Podcast - A podcast by Professor Bill Buchanan OBE
Categorie:
A team of developers at Distrust and others has discovered a weakness in the cryptographic methods of creating a random seed for the Libbitcoin Explorer wallet. This is allegedly behind a number of cryptocurrency thefts on 12 July 2023, and on November 2022. The vulnerability has been given the CVE identifier of CVE-2023–39910 and dubbed Milk Sad [here]: Basically, the wallet uses the bx seed program and which uses a Mersenne Twister [here] for its random generator. Overall it is a secure method when used with a strong seed values. Normally these nonce values are at least 92 bits long, but more typically at least 128 bits. Unfortunately, in this case, it is initialised with 32 bits of system time. A sample run as [here]: % bx seed 6183d30558f3f56b0f7248aea1ed9b1098037ff5ad5eea69% bx seed 090a30f539d443b9ca61cc40c0e8142fc3e95c2e2d288a85% bx seed | bx ec-new > private_key% cat private_key 43c8175d0dc33bfca0bd6bb5f758fd3489da33b08e9b65cd377436952cbc6eb3 We can see that bx seed is generating a random number and which has 48 hex characters, and thus 24 bytes. This gives us a 192 bits of output, but the nonce is along 32 bits long. We then use ec-new to create a 256-bit private key for secp256k1. And so the problem is trival … we only use 32 bits of system time to generate the random seed. For anyone who had studied cryptography, you should know that we need at least 72 bits of a random seed to be safe from brute force recovery. Basically, cracking a 32-bit value is fairly easy … if not trivial. For this, the number of possible keys will thus be: 4,294,967,296 whereas normally we need 256 bits of entropy, which is: 115792089237316195423570985008687907853269984665640564039457584007913129639936 Overall, it will take less than a day to brute force a private key, as we only have, on average, we only have to try keys within a 2³² space - this is the key entropy. There are a few ways to setup bx, but once the base configuration is known, it is then easy to brute force the key. Once the private key is discovered, the intruder can then drain the wallet of cryptocurrency — by signing transfers. The name “Milk Sad” comes from a system time of 0.0 gives a secret of: milk sad wage cup reward umbrella raven visa give list decorate bulb gold raise twenty fly manual stand float super gentle climb fold park Conclusions This is sheep-following-sheep. Someone on the Internet would have shown the bx key generation method and then just followed it. More details of the vulnerability here: