Labels Milestones

New Issue

Non-cryptographic secure random number generation for tokens #1

Closed

opened 5 years ago by Ghost · 1 comments

Ghost commented 5 years ago

The SessionID is generated using rand::thread_rng() which is not cryptographic secure. This means that the effective bits a hacker needs to guess is significantly lower than you would expect based on the string. An attack vector is to create a few sessions and look for patterns. Based on these sessions, an attacker is likely to guess different session IDs.

I would advice using rand::OsRng or ring::rand::SystemRandom(). Both generators can generate cryptographic secure random strings.

The SessionID is generated using rand::thread_rng() which is not cryptographic secure. This means that the effective bits a hacker needs to guess is significantly lower than you would expect based on the string. An attack vector is to create a few sessions and look for patterns. Based on these sessions, an attacker is likely to guess different session IDs. I would advice using rand::OsRng or ring::rand::SystemRandom(). Both generators can generate cryptographic secure random strings.

MightyPork commented 5 years ago

Owner

Thanks, I don't think it's that critical but it's fixed in 0.2.1 I just released, using OsRng.

Thanks, I don't think it's that critical but it's fixed in 0.2.1 I just released, using `OsRng`.

MightyPork closed this issue 5 years ago

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

jsons

master

more-generic

refactor

v0.2.2

Labels

Apply labels

Clear labels

No items

No Label

Milestone

Set milestone

Clear milestone

No items

No Milestone

Assignees

Assign users

Clear assignees

No Assignees

2 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: packages/rocket_session#1

Write Preview

Loading…

Cancel

Save

There is no content yet.