Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Insecure Randomness in generate_secret_key.py #1092

Closed
tam7t opened this issue Apr 20, 2017 · 2 comments
Closed

Insecure Randomness in generate_secret_key.py #1092

tam7t opened this issue Apr 20, 2017 · 2 comments
Labels
type: bug A confirmed report of unexpected behavior in the application

Comments

@tam7t
Copy link

tam7t commented Apr 20, 2017

Issue type: bug report

Python version:
NetBox version:

While the seed is cryptographically secure the random module uses the Mersenne Twister by default which is not secure.

Additionally, the way that random.seed works (by taking a hash of the provided value) results in a significantly smaller keyspace than intended.
@tam7t tam7t added the type: bug A confirmed report of unexpected behavior in the application label Apr 20, 2017
@tam7t tam7t mentioned this issue Apr 20, 2017
Closed
@jeremystretch
Copy link
Member

generate_secret_key.py is a convenience tool used to generate one-off random values for Django's SECRET_KEY configuration setting. If we were generating millions of keys per second, this might be a concern, but I see no reason to deviate from the current logic. (Additionally, the PR submitted against this would have reduced the key space by a factor of 12^50.)

@jeremystretch
Copy link
Member

Spoke with @tam7t some more and now I understand what he was saying. I still want to avoid using the base64 library though.

@jeremystretch jeremystretch reopened this Apr 21, 2017
@jeremystretch jeremystretch mentioned this issue Apr 21, 2017
Merged
lampwins pushed a commit to lampwins/netbox that referenced this issue Oct 13, 2017
@jeremystretch
Fixes netbox-community#1092: Increase randomness in SECRET_KEY genera…
a74233a 
…tion tool
@lock lock bot locked as resolved and limited conversation to collaborators Jan 18, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type: bug A confirmed report of unexpected behavior in the application
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[security] generate_secret_key should use a csprng
2 participants
@tam7t @jeremystretch