Fix Insecure Token Generation
elithrar opened this issue · comments
The way IVs, keys and other tokens used for cryptographic purposes are generated by this framework fall-back to an insecure mode of generation:
e.g. https://github.com/henrylee2cn/faygo/blob/master/utils/rand.go
- Falling back to
math/rand
ifcrypto/rand
fails is dangerous: if the system CSPRNG fails, you should consider crashing, restarting or trying again (and serve the user an opaque error where possible). You cannot trust the values ofmath/rand
to be secure for session tokens, CSRF tokens or cryptographic keys because they are deterministic and may be guessed by an attacker. - Conforming the generated bytes to a static alphabet introduces bias. Instead, you should just base64 (or base32, or hex) encode the generated bytes if they need to be consumed in a string context.
I've made a PR here that addresses these issues: #7
Further reading:
Thanks for your issues very much! I have merged your code and made same fixes.
https://github.com/henrylee2cn/faygo/blob/master/utils/rand.go#L25