Ripple Says Only XRP Private Keys With Software From 2015 are Susceptible to Attack

According to Ripple’s press release on January 16, only Ripple (XRP) … a New Zealand cryptocurrency exchange that was hacked on January 14.
ripple
Advertisement

According to Ripple’s press release on January 16, only Ripple (XRP) software libraries that were generated prior to August 2015 are susceptible to attack. This was its response to a research paper which had revealed that after the Ripple Blockchain was scanned, one private key was vulnerable.

Cryptanalysis on Bitcoin, Ripple, and Ethereum Blockchain

Joachim Breitner from DFINITY Foundation, Zug, and Nadia Heninger from the University of California, San Diego are the authors of the paper. These researchers claim to have carried out a cryptanalytic attack against signatures on the Bitcoin, Ethereum, and Ripple Blockchain.

Here, they made reference to the security of Elliptic Curve Digital Signature Algorithms (ECDAs) which is employed by these digital assets. According to the researchers, ECDAs rely on a generated signature value called nonces. The generation of nonces must be unbiased which means that more than one signature value is not created for a private key in order not to lead to a loophole.

Repeated Nouces in Ripple Could Cause Security Issues

In the case of Ripple, the researchers said they were able to access 571,482 unique public keys. Among them, 379,575 hav repeated signatures values. This led to the discovery of a private key which had a repeated nonce. As such, the account of the owner could be hacked and its funds of 30.40 XRP could be illegally obtained.

The report, on the other hand, hand states that this attack can be prevented by:

Using deterministic ECDSA nonce generation, which is already implemented in the default Bitcoin and Ethereum libraries

While responding to the paper, Ripple confirmed that the generation of the deterministic nonce in their software, as the paper suggests, began in August 2015. That being so, addresses are no longer vulnerable to attack since they have taken advantage of the newer software libraries.

Cryptocurrency Exchange Gets Attacked

Software vulnerability issues could pose a lot of threats. An instance is the case of Cryptopia, a New Zealand cryptocurrency exchange that was hacked on January 14. Although clients are still uninformed of how the breach occurred, law officials in the area have begun an investigation.

BTCNN on January 11 reported a similar event of Beam Wallet, a hardware cryptocurrency storage which was said to be compromised even though reports reveal that funds were not been stolen. Nevertheless, people in the United Arab Emirates (UAE) who are the vast majority of users of the wallet were asked to uninstall it and download a newer version.

Related Posts:

  • No Related Posts

Ripple: Only XRP Private Keys That Used Software From Before August 2015 Are Vulnerable

Ripple (XRP) software libraries published before August 2015 potentially … As Cointelegraph reported yesterday, the New Zealand cryptocurrency …

Ripple (XRP) software libraries published before August 2015 potentially rendered private keys which signed multiple transactions vulnerable, Ripple announced in a statement released on Jan 16.

Recent research jointly conducted by the DFINITY Foundation and the University of California revealed that a portion of Bitcoin (BTC), Ethereum (ETH) and Ripple addresses are vulnerable.

As is known among cryptographers, the security of Elliptic Curve Digital Signature Algorithms (ECDAs) employed by the aforementioned cryptocurrencies is highly dependent on random data, which are known as nonces. The research further explains:

“It is well known that if an ECDSA private key is ever used to sign two messages with the same signature nonce, the long-term private key is trivial to compute [crack].”

The researchers claim to have successfully hacked hundreds of Bitcoin, some Ethereum, SSH (remote control for unix-like systems), HTTPS and one XRP private keys thanks to so-called biased nonces (with a low degree of randomness.) As the researchers explain, the consequences of such vulnerabilities are vast:

“In the case of cryptocurrencies, these keys give us, or any other attacker, the ability to claim the funds in the associated accounts. In the case of SSH or HTTPS, these keys would give us, or any other attacker, the ability to impersonate the end hosts.”

Still, the paper explains that such vulnerabilities can be prevented:

“All of the attacks we discuss in this paper can be prevented by using deterministic ECDSA nonce generation, which is already implemented in the default Bitcoin and Ethereum libraries.”

According to Ripple, deterministic nonce generation has also been part of their software since August 2015. This feature also makes addresses that interacted with the blockchain employing newer software libraries safe from this vulnerability.

While cryptography is far from perfect, centralized systems like exchanges and single computing systems are successfully attacked with success much more often than private keys, the research states.. The paper further notes that during the research, access has been obtained to only about $54 of BTC and $14 of XRP.

As Cointelegraph reported yesterday, the New Zealandcryptocurrency exchange Cryptopia has suspended services after detecting a major hack that has reportedly resulted in significant losses.

Also, recently news broke that a recent spate of ransomware attacks estimated to have earned hackers 705.08 Bitcoin ($2.5 million) likely came from Russian cybercriminals, not North Korean state-sponsored actors as initially thought.

Related Posts:

Vulnerabilities In Bitcoin, Ripple, And Ethereum Digital Signatures Discovered By Researchers

Some researchers have just reported vulnerabilities in cryptographic signatures for Ethereum, Bitcoin and Ripple. These vulnerabilities allow attackers …
cryptocurrency


Some researchers have just reported vulnerabilities in cryptographic signatures for Ethereum, Bitcoin and Ripple. These vulnerabilities allow attackers to calculate private keys, and steal cryptocurrencies from a given wallet. The researchers were able to calculate hundreds of Bitcoin private keys but dozens of Ripple, Ethereum, HTTPS, and SSH private keys using this cryptanalytic attack.


Lattice Attacks Against Weak ECDSA Signatures

According to the paper published by the researchers, it is possible get private keys by analyzing Bitcoin, Ethereum and Ripple signatures. This vulnerabilities only occur in edge cases where the code isn’t implemented properly by developers. It can also occur when there is a fault in the multi-signature hardware.
The paper emphasizes on the resiliency of cryptographic schemes that are used by cryptocurrencies and also highlights the importance of proper implementation.

Each time a cryptocurrency holder makes a transaction, they will need to create a digital signature with an elliptic curve algorithm. The software pops up with an arbitrary number that can only be used once for communication. The arbitrary number is called a nonce.

The software will have to sign each transaction with a unique nonce. If not, hackers will be able to calculate the private key of the signer and steal as many tokens as possible. The researchers also found out that hackers can continue to monitor a blockchain for repeated nonces to extract money from compromised keys. They can calculate private keys from signatures that have similar nonces.


Bitcoin (BTC) Price Today – BTC / USD

Name Price 24H (%)

bitcoin
Bitcoin(BTC)

$3,619.16

The authors of the paper are Dr. Nadia Heninger, an associate professor of computer science in the University of California and Joachim Breitner, a senior researcher at DFINITY. The vulnerability was as fellows:

“The ECDSA digital signature algorithm needs to generate a random number of each signature. The number is called nonce. Note that this nonce is different from the one used in cryptocurrency mining. We exploited nonce vulnerabilities that were implementations that generated values that are much shorter than they should be. Some values shared the least significant bits.”


Using lattices, an advanced form of mathematics, the researchers were able to crack some wallet addresses and find private keys:


“Lattice algorithms allow us to find solutions to systems that are under constrained of linear equations. There are many cryptanalytic techniques that already use lattice algorithms as a building block.”


The paper made it clear that any non-uniformity that occurs during the generation of these digital signature nonces can show the private key information. With enough signatures, hackers can compute private keys to drain the users wallet.


Is The Vulnerability A Cause For Concern?


According to the report, the majority of cryptocurrency users need not worry about the vulnerabilities. The vulnerabilities can only be exploited if the digital signature code is bugged. There will be no security breaches as long as developers use the right techniques. These vulnerabilities can only be exploited when specific implementations are made.


These kind of attacks will be difficult for hackers because they are not cost effective. They may not profit from launching such an attack because of the amount of time, computational power and electricity they need to move forward. This doesn’t mean they will not add this new method of attack to their arsenal.

Unique Cryptanalytic Attack Used To Crack Private Keys of Cryptocurrencies

Vinny Lingham, CEO of Civic, on January 11, 2019, predicted that the cryptocurrency might fall below $3,000. Lingam states that the market would …

Vinny Lingham, CEO of Civic, onJanuary 11, 2019, predicted that the cryptocurrency might fall below $3,000.

Lingam states that the marketwould either breakdown or breakout. Bitcoin is trying to decide which way togo, therefore would trade sideways until the crypto finds a breakout orbreakdown direction.

On Thursday, within just a fewminutes Bitcoin shed $250 out of $4000. Thevolatility pattern of the Bitcoin took a new turn. The gains that were made earlier got canceledout. The price movements of Altcoinsreacted intensely to the price drop of Bitcoin. Almost all the cryptocurrenciesin the top twenty list by market capitalization shed 11.3% on Friday.

Recent research has identifiedthat hackers are using methods to calculate the private keys ofcryptocurrencies. They make use of a unique cryptanalytic attack.

However, these attacks occur onlyin cases where the developers have not executed their codes properly or in situationsthat involve faulty hardware that functions with multi-signature. Thosenetworks that are properly implemented do not suffer these attacks.

It so happens that anytime acrypto holder is involved in a transaction, they create a cryptographic signature.They make use of Elliptic Curve Digital Signature Algorithm (ECDSA). A nonce isgenerated by the algorithm. Thisarbitrary number is to be used for just once. It is important for the softwareto sign up with a different nonce each time otherwise hackers will be able tocalculate the private key of the signers.

Hackers continually monitor theblockchain watching for repeated nonces. Thus, they will be able to extractmoney from compromised keys. Hackers will be able to calculate the keys fromsignatures that make use of different signatures, but similar nonce. In cases,where the nonces have similar strings in the beginning and end of thesignatures then the hackers can exploit it.

The digital signature nonce isdifferent from the nonce used in the cryptocurrency mining process. The chancesfor exploitation of nonce are more when the values are very shorter than itshould be.

Lattice is an advancedmathematical approach that can be used to crack the wallet addresses toidentify the private keys. Several cryptanalytic techniques make use of thelattice algorithms as a building block.

This need not set most of thecryptocurrency users into a world of worry, because, a hack is possible onlywhen there is a bug in the digital signature code. The security scheme will be secure for aslong as it is executed according to the protocol and documented methods.The amount of time and electricity required forthis process is too high to make it profitable for attackers.

Researchers Find Vulnerability for Bitcoin, Ethereum, and Ripple Digital Signatures in Faulty …

In the paper Biased Nonce Sense: Lattice Attacks against Weak ECDSA Signatures in Cryptocurrencies, researchers utilize a method to calculate …

Researchers recently identified vulnerabilities in cryptographic signatures for Bitcoin, Ethereum, and Ripple, that allowed attackers to calculate private keys and, consequently, steal any crypto in that wallet. In total, the researchers calculated hundreds of Bitcoin private keys and dozens of Ethereum, Ripple, SSH, and HTTPS private keys using this unique form of cryptanalytic attack.

In the paper Biased Nonce Sense: Lattice Attacks against Weak ECDSA Signatures in Cryptocurrencies, researchers utilize a method to calculate private keys by analyzing Bitcoin signatures. The researchers were also able to apply these techniques to Ethereum and Ripple.

That said, these vulnerabilities only occur in edge cases where code is not implemented by developers properly, or likely occurred because of faulty multi-signature hardware. The research emphasizes the resiliency of the cryptographic schemes used by cryptocurrencies, as well as highlights the importance of proper implementation.

Background on Research

Whenever crypto holders make a transaction, they are required to create a cryptographic signature using an elliptic curve digital signaturealgorithm (ECDSA). In this algorithm, the software comes up with an arbitrary number that is used just once for communication—this number is called a nonce.

It is critical that the software signs each transaction with a different nonce, otherwise hackers can (rather easily) find and calculate the signers’ private key. There is even evidence that hackers continuously monitor the blockchain for these kinds of repeated nonces, extracting money from compromised keys.

What’s less well-known is that attackers can calculate keys from signatures that use different, but similar nonces. For example, if nonces have characters that are similar at the beginning of the signature, or if the nonce has characters that are similar at the end of a signature, then some big bad terrible thing will happen.

What the Researchers Say

CryptoSlate contacted both authors of the paper: Dr. Nadia Heninger is an associate professor of computer science at the University of California. Joachim Breitner, is a senior researcher at DFINITY. According to Dr. Heninger, the vulnerability was described as follows:

“The ECDSA digital signaturealgorithm requires generating a random number for each signature, which is often called a “nonce” (This is different from the nonces used in cryptocurrency mining). If these random values used in the signatures are not generated properly, in some cases, an attacker can compute the private signing keys. The types of nonce vulnerabilities that we exploited were implementations that generated values that were much shorter than they should have been, or values that shared most or least significant bits.”

And, using some advance math called lattices, the two were able to crack some of these wallet addresses and find the private keys:

“For the nerds in the audience, lattice algorithms allow us to find small solutions to underconstrained systems of linear equations. There are a number of crypotanalytic techniques that use lattice algorithms as a building block.”

As stated in the paper, any non-uniformity in the generation of these signature nonces can reveal private key information. Given a sufficient number of signatures, hackers can compute private keys and gain access to a user’s wallet and drain its funds.

Do Crypto Users Need to Worry?

According to Dr. Heninger and Breitner, the vast majority of cryptocurrency users need not worry:

“The only reason this would happen is if there is some type of bug in the digital signature code.”

Furthermore, as long as developers use the proper techniques and documented methods to ensure user security, the signature scheme is considered secure:

“As far as we know, ECDSA is a secure digital signaturealgorithm if implemented correctly. We concluded that these were not common implementations based on the fact that we only found a few thousand vulnerable signatures out of nearly a billion Bitcoin signatures that we examined.”

Furthermore, these vulnerabilities are only “specific to distinct implementations. Furthermore, the authors speculate that the faulty implementationn could possibly be a result of a few multifactor security devices:

“The mention of multifactor security is specific to the case of the signatures we found with 64-bit nonces on the Bitcoin blockchain. Nearly all of them were part of multisig addresses, which is not the usual case on the blockchain, hence our guess of the source. There has since been some further speculation about the specific implementation.”

Now, there are ways for developers to implement ECDSA without the vulnerabilities described in the paper, even for hardware devices. According to Breitner:

“The official blockchain clients get their crypto right… since 2016, the Bitcoin client uses deterministic signatures (RFC6979) which completely removes the need for randomness in the process [eliminating the possibility of the kind of attack employed by the researchers]. If you are using non-standard libraries, or if you write your own crypto routines… you should make sure that these use RFC6979. This is even more important on embedded devices or hardware tokens where a good source of randomness might be hard to come by.”

Profitable for Attackers?

Ultimately, these kinds of attacks are not cost-effective given the amount of time, electricity, and computational power needed to conduct them—even with this new tool added to their arsenal:

“Given that attackers are already exploiting other cryptographic vulnerabilities to compromise wallets, it seems likely that this will be added to their arsenal. However, if one has to pay for the computing time to do the computation, it is probably not a cost-effective attack given the balances that we found associated with vulnerable keys.”

At the end of the day, the research reassures cryptocurrency users that the cryptography underlining Bitcoin and other digital currencies is sound. With tens of thousands of people scrutinizing the underlying code for these systems, it is a testimony that the core security schemes, if used properly, still adequately protect the user—for now.

Commitment to Transparency: The author of this article is invested and/or has an interest in one or more assets discussed in this post. CryptoSlate does not endorse any project or asset that may be mentioned or linked to in this article. Please take that into consideration when evaluating the content within this article.

Disclaimer: Our writers’ opinions are solely their own and do not reflect the opinion of CryptoSlate. None of the information you read on CryptoSlate should be taken as investment advice, nor does CryptoSlate endorse any project that may be mentioned or linked to in this article. Buying and trading cryptocurrencies should be considered a high-risk activity. Please do your own due diligence before taking any action related to content within this article. Finally, CryptoSlate takes no responsibility should you lose money trading cryptocurrencies.

Did you like this article? Join us.

Get blockchain news and crypto insights.

Follow @cryptoslateJoin Us on Telegram

Related Posts:

  • No Related Posts