Skip to content
This repository was archived by the owner on Apr 11, 2024. It is now read-only.

Use cryptographically random bytes to generate nonce#98

Merged
thecodepixi merged 1 commit intomainfrom
ellul/crypto-nonce
Feb 9, 2021
Merged

Use cryptographically random bytes to generate nonce#98
thecodepixi merged 1 commit intomainfrom
ellul/crypto-nonce

Conversation

@NEllusion
Copy link
Copy Markdown
Contributor

@NEllusion NEllusion commented Feb 9, 2021
edited
Loading

WHY are these changes introduced?

The current implementation of the nonce generating function is based off of the current date (in seconds), and Math.random. Math.random is not cryptographically secure and as a result, the numbers can be predicted. Switching to using cryptographically random bytes to generate the nonce will allow for a more truly random numbers.

WHAT is this pull request doing?

This PR makes use of node's crypto.randomBytes() function to generate 15 random bytes. I then mod by 10 to extract the last digit from the byte and use that as a digit in the nonce.

Type of change

  • Patch: Bug (non-breaking change which fixes an issue)
  • Minor: New feature (non-breaking change which adds functionality)
  • Major: Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist

  • I have added a changelog entry, prefixed by the type of change noted above
  • I have added/updated tests for this change
  • I have documented new APIs/updated the documentation for modified APIs (for public APIs)

@NEllusion NEllusion requested a review from a team as a code owner February 9, 2021 16:35
@mkevinosullivan
Copy link
Copy Markdown
Contributor

mkevinosullivan commented Feb 9, 2021

Thank you Nicholas. I didn't realize Math.random() was so unsafe.

thecodepixi
thecodepixi approved these changes Feb 9, 2021
View reviewed changes
Copy link
Copy Markdown
Contributor

@thecodepixi thecodepixi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for this Nicholas! This is a much better approach.

@thecodepixi thecodepixi merged commit 839b8cd into main Feb 9, 2021
@thecodepixi thecodepixi deleted the ellul/crypto-nonce branch February 9, 2021 18:38
@thecodepixi thecodepixi temporarily deployed to production February 10, 2021 16:52 Inactive
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

2 more reviewers

@thecodepixi thecodepixi thecodepixi approved these changes

@mkevinosullivan mkevinosullivan mkevinosullivan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@NEllusion @mkevinosullivan @thecodepixi