spesmilo
labels plugin reuses IV for aes-cbc for all labels in given wallet
Description
Hi, when I review your code, I found that some crypto api misuses exist.
First, actually you have noticed this issue once, IV reuse on CBC. But it is still left in the code with fixme annotation. While CBC with fixed IV might work functionally, it could be a security risk in practice. Using a random IV in each CBC encryption is stronly recommended to ensure confidentiality.
- https://github.com/spesmilo/electrum/blob/b78935521b02ec80d33a9593bb309b0bd3ccfc24/electrum/plugins/labels/labels.py#L40-L44
And one more, it appears that hard-coded key issue on the use of hmac. It could be dangerous, if class DRBG is used for security-related purpose. It is good to avoid key hard-coding and using predictable key for hmac.
- https://github.com/spesmilo/electrum/blob/b78935521b02ec80d33a9593bb309b0bd3ccfc24/electrum/plugins/revealer/hmac_drbg.py#L26-L51
Update for these issues would be significantly helpful to improve security. Would it be possible to update these issues in the future?
Thank you.
And one more, it appears that hard-coded key issue on the use of
hmac. It could be dangerous, if class DRBG is used for security-related purpose. It is good to avoid key hard-coding and using predictable key for hmac.
- https://github.com/spesmilo/electrum/blob/b78935521b02ec80d33a9593bb309b0bd3ccfc24/electrum/plugins/revealer/hmac_drbg.py#L26-L51
What do you mean "hardcoded"? The key and the val fields both get overwritten based on the value of the seed parameter in the constructor.
(edit: the algorithm is from https://github.com/davidlazar/python-drbg)
What do you mean "hardcoded"? The key and the val fields both get overwritten based on the value of the seed parameter in the constructor.
I'm sorry for the late reply.
I think I said the wrong about it. I didn't recognize that self.reseed do overwritting key and value.