What, no, everyone knows they're powered by cavemen with chisels and stone tablets.

Aren't banks often still using COBOL or other such ancient languages?

Or even java 6

i think majority of world is still on java 8

Java 6 is still most popular

Even nicer when Mike is in it

It's implemented by the OpenJDK community. So I guess it's a bug that the open source community didn't catch.

@@andrewlalis Most OpenJDK devs work at Oracle, though. And another thing: Oracle sat on this bug for HALF A YEAR.

Oracle, being crappy? Why, I never.

Me. I did it. I'm responsible for this mistake.

this would fall under the general case of verifying spec with bounds testing, yeah. Were this something outside of spec, I could understand missing it, but if the bounds are clearly expressed in the specification then those bounds must be checked for a robust implementation.

Interesting, never heard of this!

I'm just guessing but that would mean that Alice could know Bob's G value from r=(kG).x since it's always the same as k doesn't mutate and once that's known, the private key (b) would = B/G from the formula B=bG and that's how you expose the private key considering that you know the value of k

@@marti.2718 Exactly. You don't even need to know the value of k, just have two messages and their signatures using the same k. Because you know s1 = (z1 + k1G)/k1 and s2 = (z2 + k2G)/k2 if k1 == k2, then s1 - s2 = (z1 - z2)/k and k = (z1 - z2)/(s1 - s2). As all those four values are known to you, so you get k and from k you get b My math may be wrong (specially with the limited formatting in a youtube comment), but I remember the failoverflow video went through this.

Practically speaking, it's not that important that you may sometimes repeat the same k for two messages by accident. Statistically speaking however, it represents a vulnerability, because an attacker could use that fact to find two messages with the same k, and then derive p and q from it using brute force.

@@Lastlythanku4urtime random does not equal unique

They were probably like this: uint32_t secret_key[] = {4, 6, 1, 4}; // Picked by fair dice rolls, guaranteed to be random :)

I use JDK 18 for Minecraft, and for compiling code into bytecode and running it in the VM. But I almost never use the JDK for developing lol

Some of the worst offenses I've seen are ironically in RNG algorithms, which encryption depends on, which _many_ systems use today.

I believe the CVE is CVE-2022-21449.

Hey, at least you've got a list of all your systems with Java installs handy that hasn't had a chance to get out of date yet. And it's a lot easier to patch this, since programs generally use the system JRE instead of having their own copy of a particular version of it.

It is also possible that the C++ implementation actually had an issue with dividing by zero mod n. Arguably the fact that Java just inserts a 0 there seems to be the main culprit since it basically wrecks the mathematical logic behind the equations. It seems feasible that the programmer implementing it was not aware that Java would just put 1/0 = 0 and assumed that the initial check was unnecessary.

Do you mean that they are checking r != NULL but not checking r != 0?

@@travelthetropics6190 yes

@@entropie-3622 we know the c++ implementation didn’t have this issue because we can see the source. As far as “not knowing” when porting, that’s a horrible mindset. ECDSA has a spec for a reason.

@@entropie-3622 > Java just inserts a 0 there > Java would just put 1/0 = 0 No, integer division by zero is not allowed in Java and causes an exception. And it's not an implementation detail but part of the Java Language Specification: - section 15.17.2 "Division Operator /": "if the value of the divisor in an integer division is 0, then an ArithmeticException is thrown"; - section 15.17.3 "Remainder Operator %": "If the value of the divisor for an integer remainder operator is 0, then an ArithmeticException is thrown".

Someone missed a line when they copied and pasted the c++ implementation into their notepad of choice for reference before they implemented it in Java.

It gets even more embarassing when you realise this was in production for 1.5 years and noone noticed.

@@tallowisp8868 Well, no one noticed and also told everyone that they noticed. 😉

Even more amazing is that this is an open source implementation. Meaning EVERYONE COULD look at it and notice something and no one did. Anyone saying they did notice it are either lying or a black hat. Don't know which would be worse to be honest. But from a practical standpoint, lying about it means you are embarrassed because you told a blatant lie. But using the exploit means you are probably breaking a law somewhere and can be put in prison. Either way, this was in the PUBLIC EYE and no one noticed until now. We are ALL idiots really.

@@tallowisp8868 Even more troubling is that this bug has been actually reported to Oracle SIX MONTHS AGO. Which means Oracle has been biding its time and knowingly exposed their customers to this vulnerability in that time. And now that Oracle's JDK implementation is fixed (but not contributed back to upstream OpenJDK), they seem to have no problem releasing and announcing the bug while the OpenJDK still does not have a fixed release available and is expected to get it done ASAP.

@@tallowisp8868 Why didn't Noone do anything about it before Madden disclosed it?

OpenJDK15+ is also affected by this. For newer versions, the Oracle JDK is just a build of the OpenJDK source. This is true for 17 and 18 at the moment. When a version moves to be paid support at Oracle, then it can start diverging from the source code of the OpenJDK project, as you have two efforts to maintain that codebase, Oracle on one hand and the OpenJDK Updates project on the other. However, when it comes to security fixes, there is still parity

@@genrazhan I see 17.0.3, but the file archive is from march 22nd, not april-recent. You sure?

@@MrFloris extremely sure. The package may have been built earlier, but it was made public on April 19th

@@genrazhan thank you. I already updated to 17.0.3 for all the minecraft servers.

@@genrazhan excellent

Ah, a man of culture.

There should be software that does that, which should be mandatory like a formatter and unit tests.

This is such a minor footnote, it's almost always better to update to the latest. The fact that this is getting coverage means it's notable because it doesn't happen often to be "boring" to cover. That's like saying it's a reason to avoid getting a vax because there are breakthrough cases or adverse affects for unique individuals....

Maybe u genius hackers should spy on kneel madden instead of the guy doing a pushup is all im saying!!!!

Bob, you're fired!

😂

My understanding was that they completely omitted the check for r and s being in [1, n-1].

Ofc it obviously will

It is not uncommon for significant vulnerabilities like this to get backported even to versions that are already EOL.

That's mainly because it's everywhere. But the fact that they didn't even have unit tests for ECDSA is mind-boggling. (Ideally, it should be formally verified.)

Lol not even as close as Nodejs ecosystem.

@@OverG88 NPM -- where anyone who is given control of a package can change the code to be whatever they want and computers the world over say, "sure, I'll install that for you."

@@NyanSten we don't know the design goal, nor the test goal.

yeah, want to see the commit, with the name of the committer.

From what I understand it just has to be unique. So deterministic hash based on message being signed should be fine?

Zero as input for inverse multiplicative should have been handled like dividing by zero and raise an exception. The implementation of such an important API should have had tests that check the zero cases.

Relying on the programmer using your code to check for preconditions isn’t always safe :/

Under normal circumstances no. This is a perfectly valid operation in Java as the mod n value isn't actually dividing by 0, so there is no 0/0 being performed.

@@-Deco Thank you! I didn't take in the fact that everything is under mod n.

@@YuanLiuTheDoc No worries.

again

Not quite fair considering most ppl use Java below Java15 when the Bug was introduced

@@02orochi fair :D

The output does match for every input they tried. Furthermore, you can't have your tests make a list of all of the signatures each implementation accepts for a particular public key and message, because that's designed to take effectively forever; otherwise, an attacker who wants to forge a signature could just try them all and see which one in valid. What they were missing was testing with all of the corner cases from the specification. There's a public third-party suite of inputs that are not valid signatures for all the different reasons (so it tests that you're not missing any checks), but they didn't adopt it as a unit test, and it didn't get updated for the latest API changes, so clearly nobody else was running it, either.

1/0 in mod n arithmetic is 0 because you don't actually divide. Without mod n, it would throw ArithmeticException.

When you're doing math modulo large primes, you don't really use a regular division operation. Fermat's Little Theorem states that a^p mod p = a^1 for all a, so if you want a^-1, you just calculate a^(p-2). This is valid because you've already specifically checked that a is in the range [1, p-1], according to the specification. Unfortunately, if you haven't done the check, it can calculate 0^(p-2)=0 and not get a divide by zero exception.

The point of strong typing is not to crash when you have a bug. The point of strong typing is to ensure assignments in your code are of the correct type at compile time, rather than risk an exception due to incorrect type assignment at runtime. An arithmetic exception caused by divide by zero could as easily occur in C# or Java as JavaScript. Poor runtime exception handling, is poor exception handling irrespective of the type safety of the language. Unfortunately I've seen functions that "swallow" divide by zero errors internally and return zero far too many times in various projects :(

@@NyanSten haven't tried it but I believe it should throw an exception and specific one like not just an Exception.

@@iabervon interesting 🤔🤔🤔. I haven't written any algorithm that deals large primes before but I sure did divide by zero

No, this has nothing to do with custom curves. It's down to a lack of proper checks.

@@talideon sure, but would said validation not be required if one required predefined curves?

@@sundhaug92 the math is the same regardless of the curve parameters. It would affect all NIST curves for example. You may be thinking of Curve25519 and how you don't verify a public key is on the curve. The signature values (r, s) are different from verifying a public key.

@@sundhaug92 The validation is required regardless of the curve used. Now, there are good reasons for not trusting arbitrary curves, but this is specifically a matter of nonexistent basic input validation.

Could just block the ability of using 0 to solve this problem. if it's not 0 or infinity then chances are it would make this really hard to solve. Basically make a check to see if the coordinates are 0,0. Not hard to fix at all. But I wonder if there is other numbers that would fall into this problem

you're thinking of DSA, not ECDSA. at the level of algebra they are more or less the same, the underlying group operation is abstract, and indeed on the integers mod p addition, multiplication and exponentiation form a group, but on elliptic curves the group operation is point addition or point multiplication, and people argue endlessly about which notation is better (additive or multiplicative). terminology is also confusing, using additive notation and then calling a the discrete logarithm of aG or using multiplicative notation and referring to it as point addition... but what really matters is the group structure and whether or not the hardness assumption holds technically ecdsa has a patent circumvention that does poke at the underlying structure, but if you look at Schnorr signatures or the schnorr identification protocol on which they are based, those algorithms really don't care about the details of the underlying group structure

Servers