Description
I have identified a potential security issue in the method get_initialization_vector
within the class responsible for encryption configuration. The current implementation allows for the use of a static initialization vector (IV) and uses a non-secure random number generation method. The code snippet is as follows:
def get_initialization_vector(self, use_random_iv):
if self.pubnub_configuration.use_random_initialization_vector or use_random_iv:
return "{0:016}".format(random.randint(0, 9999999999999999))
else:
return Initial16bytes
Using a static IV is insecure as it can lead to the same ciphertext being generated for the same plaintext, which can be exploited by an attacker. Additionally, the use of random.randint
is not cryptographically secure.
It is recommended to always use a cryptographically secure random number generator for creating the IV. The static IV fallback should be removed to ensure that a new, random IV is used for every encryption operation.
For the specific code modification, please use a secure random number generator such as os.urandom
or SystemRandom
from the random
module, and remove the option to return a static IV.
link:
Line 70 in e5416cf