Jump to content
codiusrex

Ripple: Only XRP Private Keys That Used Software From Before August 2015 Are Vulnerable

Recommended Posts

On 1/21/2019 at 5:47 AM, richxrp said:

Anyone know if Accounts created by RT (Ripple Trade) are vulnerable ?

If you sent multiple transactions using Ripple Trade, you may be vulnerable. It is unlikely, since as far as I know, Ripple Trade generally uses a strong source of randomness, but it's not a bad precaution to rotate your keys regardless.

Share this post


Link to post
Share on other sites
On 1/20/2019 at 1:24 PM, enrique11 said:

Yes, they're supposed to be safe according to Ripple.  For example, the last version of rippex wallet for Linux (I would assume it's OK for other platforms as well like Microsoft and MacOS if they were updated at similar times and are basically using the same mechanism to generate nonces, but honestly I don't know how the process works for other platforms, upgrading and stuff and the libraries used and if they are basically updated at similar times with similar versions of ripple-lib - I just use Linux, so I am only confident about the system I use and the wallet created for it.) used ripple-lib version 0.13.0-rc14, and if you look at the following link that I posted yesterday in a similar thread (https://github.com/ripple/ripple-lib/commits/develop?after=dc148bf95441f8ad879026f8cb2473be4d6f055f+699), the "Bump version to 0.13.0-rc3" reference at the bottom of the linked page, you see that the earliest version of ripple-lib that's supposedly safe that I could find in August of 2015 was created on August 4, 2015 and is version 0.13.0-rc3, so any version of ripple wallet that's using ripple-lib version 0.13.0-rc3 or greater should be safe.  So even later wallet versions of rippex (not necessarily the last version) should be safe as long as they use a ripple-lib version that's at least 0.13.0-rc3.

Latest desktop version I use says at the bottom left 1.4.1 and links to this https://github.com/ripple/ripple-client-desktop/releases

What do it says about vulnerability?

Share this post


Link to post
Share on other sites
6 hours ago, Malloy said:

Latest desktop version I use says at the bottom left 1.4.1 and links to this https://github.com/ripple/ripple-client-desktop/releases

What do it says about vulnerability?

This is what I followed based on Ripple's comments about the issue:

First, here's the Ripple link to the nonce issue: https://ripple.com/dev-blog/statement-on-the-biased-nonce-sense-paper/

And the following quote in the link is how I pinned down which versions of ripple-lib are safe:

Quote

For several years, the widely agreed upon industry recommendation has been to use deterministic nonces as described in RFC6979 when generating signatures for any of these systems. Those who use exclusively deterministic nonces (or use Ed25519 keys) are not vulnerable to this attack. Signing software contained in rippled and ripple-lib packages published by Ripple from August 2015 and later always use deterministic nonces.

Based on the part of the quote I highlighted, any wallet using ripple-lib that came out in August or later of 2015 should be safe.

Then if you look the ripple-lib github commits in the following link, https://github.com/ripple/ripple-lib/commits/develop?after=dc148bf95441f8ad879026f8cb2473be4d6f055f+699  you will see at the bottom of the linked page that the earliest version of ripple-lib in August of 2015 that's supposedly safe is 0.13.0-rc3.

OK, so if you go into the link you posted under rippex wallet version 1.4.1, and you download or open the zip file, you see that the ripple-lib dependency referenced in the package.json is version "0.13.0-rc14" which is greater than version 0.13.0-rc3, so it should be safe.

Then finally, if you go into the README.md file of 1.4.1 wallet version in the link ( https://github.com/ripple/ripple-client-desktop/releases ) you posted that explains how to build the wallet client from source code, it states as part of the directions to building the wallet client to "Run `npm install`.

Then if you look at the what the command "npm install" does you get this ...

Quote

By default, npm install will install all modules listed as dependencies in package.json

So, the developers want people to follow directions in the README.md file in order to build the wallet client.  And one of the steps is to run the 'npm install' command, which according to this quote I found will install any dependencies found in package.json, and if you recall, ripple-lib is one of these dependencies.

So, if the developers or maintainers of these packages at rippex who provided these wallet apps/clients for people to download from their website followed their own directions, then when they created these wallet clients, they should have built them using the referenced dependencies (including ripple-lib) found in package.json, which means that rippex wallet client version 1.4.1 is using version 0.13.0-rc14 of ripple-lib which is supposed to be safe according to Ripple.

I'm not a coder, but this is how I tried to piece together which ripple-lib versions should be safe and which rippex wallet client versions are using them.

 

Edited by enrique11

Share this post


Link to post
Share on other sites
8 hours ago, Malloy said:

Latest desktop version I use says at the bottom left 1.4.1 and links to this https://github.com/ripple/ripple-client-desktop/releases

What do it says about vulnerability?

So to answer you question succinctly, rippex wallet client version 1.4.1 is safe because it should be using ripple-lib version 0.13.0-rc14 which uses deterministic nonces.

Edited by enrique11

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...