Go-SCP icon indicating copy to clipboard operation
Go-SCP copied to clipboard
verified publisher icon OWASP

Update pseudo random generation to use math/rand/v2

Open fedevilensky opened this issue 1 year ago • 3 comments

Pseudorandom number generation should be updated to use math/rand/v2 as this is the new recommended implementation

fedevilensky avatar Dec 04 '24 18:12 fedevilensky

No, crypto/rand should still be used for security-sensitive operations.

"For example, using math/rand to generate a 128-bit or 256-bit AES key would be a serious mistake, since the key would be easier to brute force. For that kind of use, you need a cryptographically strong random number generator, as provided by crypto/rand" - golang blog.

"This package's outputs might be easily predictable regardless of how it's seeded. For random numbers suitable for security-sensitive work, see the crypto/rand package" - math/rand/v2 docs

ottosulin avatar Dec 05 '24 06:12 ottosulin

Sorry maybe I was not clear enough. I meant instead of "math/rand" use "math/rand/v2"

fedevilensky avatar Dec 05 '24 09:12 fedevilensky

Hi @fedevilensky,

I'd love to work on this issue! I understand the task is to update all instances of math/rand to math/rand/v2 while ensuring no security-sensitive operations are affected.

Would you like me to check all occurrences of math/rand and replace them accordingly? Also, should I update the documentation if any references exist?

Looking forward to your guidance! 🚀

aakarshgopishetty avatar Mar 23 '25 09:03 aakarshgopishetty