[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #12016 [Ooni]: Report ID Generated with Insecure RNG

Subject: [tor-bugs] #12016 [Ooni]: Report ID Generated with Insecure RNG
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Thu, 15 May 2014 16:15:57 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 15 May 2014 12:16:08 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#12016: Report ID Generated with Insecure RNG
---------------------+-------------------------
 Reporter:  hellais  |          Owner:  hellais
     Type:  defect   |         Status:  new
 Priority:  normal   |      Milestone:
Component:  Ooni     |        Version:
 Keywords:  oonib    |  Actual Points:
Parent ID:           |         Points:
---------------------+-------------------------
 defuse reported:

 In #48 we are discussing the report ID being leaked through side channels.
 There is currently a more severe issue: The random characters in the
 report ID are generated with an insecure (predictable) random number
 generator:


 import random
 # ...
 def randomStr(length, num=True):
     """
     Returns a random a mixed lowercase, uppercase, alfanumerical (if num
 True)
     string long length
     """
     chars = string.ascii_lowercase + string.ascii_uppercase
     if num:
         chars += string.digits
     return ''.join(random.choice(chars) for x in range(length))]


 If the report ID is to be used for authentication, those characters should
 be generated with a CSPRNG.

 Note: This is not part of the Least Authority audit.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12016>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: [tor-bugs] #12015 [Ooni]: The README for ooni-backend should explain what ooni-backend is and why you want to run it
Next by Author: Re: [tor-bugs] #11854 [Ooni]: Choose an issue tracker for OONI and close the other ones
Previous by thread: [tor-bugs] #12015 [Ooni]: The README for ooni-backend should explain what ooni-backend is and why you want to run it
Next by thread: [tor-bugs] #12017 [- Select a component]: HTTPS-E has no rulesets, does not work at all in FF29.
Index(es):
- Author
- Thread