Questions about sha256 and salt used
Gax-c opened this issue · comments
I've got some questions when browsing the source code.
-
The sha256 here is used to generate the key from secret. But sha256 itself is not a secure algorithm for key derivation. Some other algorithms like PBKDF2 will be better.
-
Why the salt and IV are the same here, they are supposed to be different to provide security.
I think these two may lead to potential vulnerabilities.