Skip to content

Use Secure Random Number Algorithm for Initialization Vector and Avoid Static IV #190

Open
@kexinoh

Description

@kexinoh

I have identified a potential security issue in the method get_initialization_vector within the class responsible for encryption configuration. The current implementation allows for the use of a static initialization vector (IV) and uses a non-secure random number generation method. The code snippet is as follows:

def get_initialization_vector(self, use_random_iv):
    if self.pubnub_configuration.use_random_initialization_vector or use_random_iv:
        return "{0:016}".format(random.randint(0, 9999999999999999))
    else:
        return Initial16bytes

Using a static IV is insecure as it can lead to the same ciphertext being generated for the same plaintext, which can be exploited by an attacker. Additionally, the use of random.randint is not cryptographically secure.
It is recommended to always use a cryptographically secure random number generator for creating the IV. The static IV fallback should be removed to ensure that a new, random IV is used for every encryption operation.
For the specific code modification, please use a secure random number generator such as os.urandom or SystemRandom from the random module, and remove the option to return a static IV.
link:

def get_initialization_vector(self, use_random_iv):

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions