geacon icon indicating copy to clipboard operation
geacon copied to clipboard
verified publisher icon darkr4y

Keys are generated with with insufficient entropy

Open r00tkillah opened this issue 5 years ago • 1 comments

RandomInt seeds prng with insufficient entropy at each invocation

func RandomInt(min, max int) int {
	rand.Seed(time.Now().UnixNano())
	return min + rand.Intn(max-min)
}

RandomAESKey uses the non-cryptoprahically random prng to generate keys:

func RandomAESKey() {
        config.GlobalKey = make([]byte,16)
        _, err := rand.Read(config.GlobalKey[:])
        if err != nil {
                panic(err)
        }
}

If RandomInt has been called prior to RandomAESKey, the prng will be seeded with the unix time of that invocation. However, if it has not been called prior, it will generate the same bytes every time:

Package rand implements pseudo-random number generators.

Random numbers are generated by a Source. Top-level functions, such as Float64 and Int, use a default shared Source that produces a deterministic sequence of values each time a program is run. Use the Seed function to initialize the default Source if different behavior is required for each run. The default Source is safe for concurrent use by multiple goroutines, but Sources created by NewSource are not.

Mathematical interval notation such as [0, n) is used throughout the documentation for this package.

For random numbers suitable for security-sensitive work, see the crypto/rand package.

r00tkillah avatar May 28 '20 22:05 r00tkillah

Thanks for pointing out the deficiencies in the code. I don’t have much time to review the code and fix it, please submit a PR :)

darkr4y avatar Aug 10 '20 16:08 darkr4y