Use Secure Random Number Algorithm for Initialization Vector and Avoid Static IV #190
Description
I have identified a potential security issue in the method get_initialization_vector within the class responsible for encryption configuration. The current implementation allows for the use of a static initialization vector (IV) and uses a non-secure random number generation method. The code snippet is as follows:
def get_initialization_vector(self, use_random_iv):
if self.pubnub_configuration.use_random_initialization_vector or use_random_iv:
return "{0:016}".format(random.randint(0, 9999999999999999))
else:
return Initial16bytesUsing a static IV is insecure as it can lead to the same ciphertext being generated for the same plaintext, which can be exploited by an attacker. Additionally, the use of random.randint is not cryptographically secure.
It is recommended to always use a cryptographically secure random number generator for creating the IV. The static IV fallback should be removed to ensure that a new, random IV is used for every encryption operation.
For the specific code modification, please use a secure random number generator such as os.urandom or SystemRandom from the random module, and remove the option to return a static IV.
link:
Line 70 in e5416cf