Dozens of Crypto Libraries Vulnerable to Private Key Theft

One more time, software has bugs. Can you imagine that?

Ed25519 is a digital signature algorithm that has become very popular because it is literally 20 to 30 times faster than the competing digital signature algorithm.

One place where this algorithm tends to be popular is in blockchain and cryptocurrency platforms.

In this case, the libraries have bugs that, with some work, allow an attacker to deduce the user’s private encryption key.

Initially the researchers found 26 libraries that were vulnerable. The vulnerability is due to insufficient input validation. Now the list has at least 40 libraries on it. Remember that a library, if it is popular, might get thousands of downloads a week. Or more.

The researchers also found that some online services were also vulnerable.

So a couple of thoughts here.

First, if you develop software and it has encryption, make sure that you are not using a vulnerable library.

Second, if you use software, and this part is harder, you need to try and figure out if the software you use – think blockchain, cryptocurrency, finance, stuff like that – is vulnerable.

Longer term, the answer for buyers and users of software is something called Software Bill of Materials or SBoM. An SBoM tells the user of the software what the ingredients of the software are. For example, in this case, does the software use one of these vulnerable libraries. If you need help creating an SBoM for software that you develop or need help with building requirements for vendors or understanding the SBoMs that you might receive, please contact us.