This repository has been archived by the owner on Oct 28, 2024. It is now read-only.
Cryptographic API Misuse Vulnerability: Do not use insecure pseudo random number generator(PRNG) in a security context #20
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hello!
First and foremost, I would like to express my sincere gratitude for your contributions to this project.
Description:
I have identified a security vulnerability in solcrypto project's about insecure PNRG.
PRNGs are used to generate random numbers that are unpredictable and uniformly distributed. However, some PRNGs are not truly random and can be predicted or reproduced, which can compromise the security of cryptographic applications that rely on them, such as key derivation, encryption, or digital signatures. Examples of insecure PRNGs are
random.randbytes, orrandom.randint. These PRNGs should not be used in a security context and replaced by more secure ones, such assecrets.token_bytes, oros.urandom. It corresponds to CWE-338: Use of Cryptographically Weak PRNG.Locations:
solcrypto/pysolcrypto/polyhash.py
Line 56 in 3c59250
solcrypto/pysolcrypto/polyhash.py
Line 57 in 3c59250
References:
CWE-338: Use of Cryptographically Weak PRNG.
Recommendations:
Random IV Generation: Implement a secure random salt generator , such as
secretslibrary.Immediate attention to this issue is recommended to maintain the privacy and security of solcrypto users.
The text was updated successfully, but these errors were encountered: