Armory 0.96.3 Released
This release is a minor release fixing a vulnerability in Shamir’s Secret Sharing implementation used for fragmented backups. If you use fragmented backups, this is an URGENT update.
The fragmented backups produced by Armory used a faulty implementation of Shamir’s Secret Sharing (SSS). SSS requires that the coefficients of the curve are chosen randomly, but the implementation had been deriving those coefficients deterministically. It is unknown how much this erodes the security of SSS and how exploitable the vulnerability is. Out of an abundance of caution, we advise that you treat all wallets backed up with fragmented backups as compromised and immediately move all funds to a new wallet. The vulnerability is fixed in Armory 0.96.3 and above by fully randomizing the coefficients. Note that this will mean that the fragmented backups will no longer be deterministic. Each set of backups will be given a unique ID and restoring a fragmented backup requires all fragments to have the same unique ID.
Special thanks to Gregory Maxwell for identifying and reporting the vulnerability as well as reviewing the fix.
The full details of the vulnerability are available on here
Fragmented backups were using a faulty implementation of Shamir’s Secret Sharing (SSS). One of the requirement of SSS security parameters is that the coefficients of the curve are chozen randomly. The implementation up to this point was deriving these coefficients deterministically.
While it is hard to determine how far the deterministic coefficient generation erodes the security of SSS, and how exploitable the vulnerability is, the recommendation for users of fragmented backups is to treat the wallets backed up in this fashion as compromised and to migrate all funds to a new wallet.
The fragmented backup code now properly randomizes the SSS coefficients. Fragmented backups created with version 0.96.3 and later are safe to use.
- The result of this change is that fragmented backups will no longer be deterministic. The previous behavior guaranteed a given wallet will always return the same set of fragments for a given M-of-N scheme. Since it deteriorates SSS security properties, the behavior has to be rolled back.
- Fragment sets are now generated randomly, therefor an unique ID has been added to each set to identify them. You cannot mix and match sets.
While Armory can no longer generate deterministic fragments, it can still restore wallets from deterministic fragments.
- Many thanks to Gregory Maxwell ([email protected]) for identifying and reporting the vulnerability as well as reviewing the fix.
- Fixed faulty version packet deserialization revealed by Core 0.15.0.1
Thank you to all the contributors: