security concerns with timing attack in bn.js use
pravi opened this issue · 2 comments
pravi commented
I think browserify/diffie-hellman#22 is also applicable here.
calvinmetcalf commented
We use a blind in our calculations just like how libressl does, if you had
read through the DiffieHellman issue you would have noted that the issue
there is a different type of constant time thing they use in libressl that
I'm not sure how to replicate in JavaScript, any ideas there would be
helpful.
If I'm misreading your comment you think there is a flaw in how we are
doing the blinding in this library or there is an additional safeguard we
can use I'm all ears.
That being said this is a port of the nodejs api which is frustratingly
synchronous so we are unable to take advantage native crypto abilities in
the browser so I'd honestly be very hesitant to recommend this for anything
other then verification
…On Tue, May 2, 2017, 11:05 AM Pirate Praveen Arimbrathodiyil < ***@***.***> wrote:
I think browserify/diffie-hellman#22
<browserify/diffie-hellman#22> is also
applicable here.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#11>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ABE4nwK5sOKfQF9FG-N3m6Yb6CLuZBe6ks5r1vHzgaJpZM4NN4uo>
.
pravi commented
I was just confirming since this library also uses bn.js. Thanks for your comment.