electrum icon indicating copy to clipboard operation
electrum copied to clipboard

Published 20 hours ago verified publisher icon spesmilo

labels plugin reuses IV for aes-cbc for all labels in given wallet

Open spblue4422 opened this issue 4 months ago • 1 comments

Description

Hi, when I review your code, I found that some crypto api misuses exist.

First, actually you have noticed this issue once, IV reuse on CBC. But it is still left in the code with fixme annotation. While CBC with fixed IV might work functionally, it could be a security risk in practice. Using a random IV in each CBC encryption is stronly recommended to ensure confidentiality.

  • https://github.com/spesmilo/electrum/blob/b78935521b02ec80d33a9593bb309b0bd3ccfc24/electrum/plugins/labels/labels.py#L40-L44

And one more, it appears that hard-coded key issue on the use of hmac. It could be dangerous, if class DRBG is used for security-related purpose. It is good to avoid key hard-coding and using predictable key for hmac.

  • https://github.com/spesmilo/electrum/blob/b78935521b02ec80d33a9593bb309b0bd3ccfc24/electrum/plugins/revealer/hmac_drbg.py#L26-L51

Update for these issues would be significantly helpful to improve security. Would it be possible to update these issues in the future?

Thank you.

spblue4422 avatar May 30 '25 04:05 spblue4422