iroha-python icon indicating copy to clipboard operation
iroha-python copied to clipboard
verified publisher icon hyperledger

Insecure use of ed25519

Open py0xc3 opened this issue 5 years ago • 1 comments

Bernstein's python3 reference implementation of ed25519 is not appropriate for production purposes as it makes the python interpreter run functions for which that interpreter is not (cryptographically) designed, creating realistic attack scenarios in many environments.

Your optimization remains incorporating this weakness (line 18-33?).

Still, iroha-python uses your optimization for such purposes: it generates signatures and public keys from secret keys using ./ed25519.py.

Yet, the repository does not make aware of not being eligible for production purposes. Also, https://iroha.readthedocs.io/ suggests using iroha-python for production use.

I suggest to use cryptography with ed25519 / docs which is well maintained and suited for production use. Will have a better performance, too.

py0xc3 avatar Apr 24 '20 17:04 py0xc3

Security-critical issues solved in https://github.com/hyperledger/iroha-python/pull/58 - still, further testing of the pull request suggested!

py0xc3 avatar May 03 '20 10:05 py0xc3