[Openstack-security] [Bug 1649634] Re: Insecure Randomness for AES Passphrase Generation

Jeremy Stanley fungi at yuggoth.org
Wed Jan 18 16:26:39 UTC 2017


** Information type changed from Public Security to Public

** Tags added: security

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1649634

Title:
  Insecure Randomness for AES Passphrase Generation

Status in Cinder:
  In Progress
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  In cinder/volume/drivers/synology/synology_common.py:176 in function
  _random_AES_passpharse() (sic) randint is used to generate an index
  that is used to select which character is added to the AES key.
  However, this is insecure and is stated in the Python documentation
  where they write "The pseudo-random generators of this module should
  not be used for security purposes."

  They recommend instead using os.urandom() or SystemRandom if a
  cryptographically secure prng is required.

  The proposed fix would be to simply be to use SystemRandom as it has
  all of the same functions from random implemented and does not require
  any new libraries.

  Another option is to use the Crypto library which is already imported
  in the file.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1649634/+subscriptions




More information about the Openstack-security mailing list