Skip Menu |

This queue is for tickets about the File-KeePass CPAN distribution.

Report information
The Basics
Id: 117836
Status: new
Priority: 0/
Queue: File-KeePass
People
Owner: Nobody in particular
Requestors: vma [...] randomcrap.eu
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Wed Sep 14 13:17:28 2016 vma [...] randomcrap.eu - Ticket created
Subject: Use of cryptographically insecure rand for IVs and Keys
Date: Wed, 14 Sep 2016 19:17:10 +0200
To: bug-File-KeePass [...] rt.cpan.org
From: Viktor Liu <vma [...] randomcrap.eu>
Hi, the module is making use of the perl rand function for key and iv generation (for Crypt::Rijndael). This seems pretty insecure to me, from the perl doc: "rand is not cryptographically secure. You should not rely on it in security-sensitive situations.". Is this intended? I'd rather use something like Bytes::Random::Secure. I will provide a patch once I got time. Yours sincerely, Viktor
  Wed Sep 14 13:20:59 2016 vma [...] randomcrap.eu - Correspondence added
Subject: Re: [rt.cpan.org #117836] AutoReply: Use of cryptographically insecure rand for IVs and Keys
Date: Wed, 14 Sep 2016 19:20:47 +0200
To: bug-File-KeePass [...] rt.cpan.org
From: Viktor Liu <vma [...] randomcrap.eu>
I mean something like this: Show quoted text
> sub lock { > ... > $ref->{'_key'} = join '', map {chr rand 256} 1..32; > $ref->{'_enc_iv'} = join '', map {chr rand 256} 1..16; > ... > }
Yours sincerely, Viktor