Open svavantsa opened 8 years ago
The particular place in the code identified is choosing random bases for the Miller-Rabin primality testing. Thiat part of the code base does not need secure randomness.
What does need secure randomness is the part of the code base that is involved in choosing your prime numbers that will be part of the RSA modulus. The code base currently has a fall-back to Math.random when it does not get enough entropy from the mouse: https://github.com/travist/jsencrypt/blob/3833eb95b9164bcff59bf52861fa4a9bbd32bafc/bin/jsencrypt.js#L1325
while (rng_pptr < rng_psize) {
var random = Math.floor(65536 * Math.random());
rng_pool[rng_pptr++] = random & 255;
}
In the event that that code snippet is the main source of randomness, the implementation would be vulnerable to attack because Math.random() is very predictable. I do not know how likely this code is to be invoked in practice, but I note that not all devices have mouses this day, so I would guess a device like an iPad (for example) might generate insecure keys. There are caveats here, as I note there is other code that is using window.crypto.getRandomValues, and I have no idea how likely that is to be available for randomness.
//Pick bases at random, instead of starting at 2 a.fromInt(lowprimes[Math.floor(Math.random()*lowprimes.length)]);
On line 1145 in the jsencrypt.js file, can you use secure random number generator instead of the Math.random() method. It won't stand a cryptographic attack. Please see the alternative method.
http://security.stackexchange.com/questions/20029/generate-cryptographically-strong-pseudorandom-numbers-in-javascript