Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security]: Avoid PrivateKey.cpp abuse resistance #3468

Open
satoshiotomakan opened this issue Oct 6, 2023 · 0 comments
Open

[Security]: Avoid PrivateKey.cpp abuse resistance #3468

satoshiotomakan opened this issue Oct 6, 2023 · 0 comments
Labels
bug Something isn't working

Comments

@satoshiotomakan
Copy link
Collaborator

Describe the bug

Consider inserting the curve as a parameter to the private key and its storage. In addition, the Trust Wallet team should rigorously enforce that private keys cannot be accidentally used to generate signatures on multiple curves or signature schemes. To achieve this, the method sign’s implementation should either check that the parameter curve matches the curve parameter of the private key, or simply drop the parameter so that a private key is always used in tandem with the intended curve. The method signAsDER currently uses K-256 implicitly, which should check that the private key corresponds to this curve. Despite the lack of an associated flaw in the code at present, this approach should be installed due to the propensity for algorithm confusion attacks in the modern era.
@satoshiotomakan satoshiotomakan added the bug Something isn't working label Oct 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@satoshiotomakan and others