, 9 tweets, 5 min read Read on Twitter
1/ We decided to waste no time in heading directly to the documentation of Hedera Hashgraph - found here: docs.hedera.com/docs/

Specifically, we're going to look at 'key generation'

Ed25519 > secp256k1 (ECDSA) [what Bitcoin uses]
2/ Providing an eclectic range of signatures is somewhat worrisome because the biggest source of compromise among users as it pertains to key generation using these signatures is user error / incorrect implementation.
3/ More important is implementation; visiting the GitHub = github.com/hashgraph/hede…
4/ So a few light issues - starting with a top to bottom assessment of the code itself.

Below are some annotations that were made to explain the packages (SDKs) imported {Bouncy Castle used; reliable - this works}
5/ Using 'public static' vs. 'private static', could be argued - generally similar applications of these packages will use 'private static' for some parts.

More importantly, however, is evaluating the cryptographic sigs/standartds used by Hedera (next tweet)
6/ We know already that SHA256 is vulnerable to length-extension + pre-image attacks (same w SHA-512); this, compounded with the means by which the seed is created (via password??) , creates a *very insecure* setup.
7/ Attached to this tweet is an implementation of SHA256 using the same Bouncy Castle API, but also with the inclusion of HMAC for the PRN (random-number generator), ensuring a more secure seed is derived.

Ultimately, this is the type of code that we'd want to see.
8/ Going back to the code leveraged by Hedera Hashgraph...insecure seed/key generation = compromised structure.
9/ This spells disaster all over in a lot of different ways.

Source: github.com/hashgraph/hede…
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to hash.fail
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!