Jesse James has informed me of a problem with the rng used by blockchain.info javascript clients being poorly seeded when initialised in a background webworker task. In some browsers this could lead to duplicate R values being used when signing transactions (Firefox is likely to be particularly vulnerable). This issue effects the transaction signing code only, not the generation of private keys.
Was this an issue related to a problem with window.crypto.getRandomValues when webworkers are used? If so, please inform so that I can make Firefox aware of the problem.
I am working on Coinpunk, which is (like blockchain.info) using bitcoinjs-lib as a sort-of ancestor of the current code base. After the Android vulnerability was disclosed, I started looking at the existing RNG code and I was not impressed:
https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/src/jsbn/rng.jsYou can see where the RNG gets fed in here:
https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/src/ecdsa.js#L237I wanted to split the RNG code out into something that would use the best-available approach for its platform, so I put this together, which is the current development version, and has tests you can run in the browser:
https://github.com/kyledrake/randjs.
I would really appreciate an audit and feedback on this code, as I intend to eventually use this in production. My e-mail is
kyledrake@gmail.com if you want to IM/email me directly. Thanks!