[tor-bugs] #12016 [Ooni]: Report ID Generated with Insecure RNG
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu May 15 16:15:57 UTC 2014
#12016: Report ID Generated with Insecure RNG
---------------------+-------------------------
Reporter: hellais | Owner: hellais
Type: defect | Status: new
Priority: normal | Milestone:
Component: Ooni | Version:
Keywords: oonib | Actual Points:
Parent ID: | Points:
---------------------+-------------------------
defuse reported:
In #48 we are discussing the report ID being leaked through side channels.
There is currently a more severe issue: The random characters in the
report ID are generated with an insecure (predictable) random number
generator:
import random
# ...
def randomStr(length, num=True):
"""
Returns a random a mixed lowercase, uppercase, alfanumerical (if num
True)
string long length
"""
chars = string.ascii_lowercase + string.ascii_uppercase
if num:
chars += string.digits
return ''.join(random.choice(chars) for x in range(length))]
If the report ID is to be used for authentication, those characters should
be generated with a CSPRNG.
Note: This is not part of the Least Authority audit.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12016>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list