[Openstack-security] [Bug 1649634] Re: Insecure Randomness for AES Passphrase Generation
Jeremy Stanley
fungi at yuggoth.org
Wed Jan 18 16:26:39 UTC 2017
** Information type changed from Public Security to Public
** Tags added: security
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1649634
Title:
Insecure Randomness for AES Passphrase Generation
Status in Cinder:
In Progress
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
In cinder/volume/drivers/synology/synology_common.py:176 in function
_random_AES_passpharse() (sic) randint is used to generate an index
that is used to select which character is added to the AES key.
However, this is insecure and is stated in the Python documentation
where they write "The pseudo-random generators of this module should
not be used for security purposes."
They recommend instead using os.urandom() or SystemRandom if a
cryptographically secure prng is required.
The proposed fix would be to simply be to use SystemRandom as it has
all of the same functions from random implemented and does not require
any new libraries.
Another option is to use the Crypto library which is already imported
in the file.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1649634/+subscriptions
More information about the Openstack-security
mailing list