Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove time component from for AES-GSM keys #326

Closed
carsonfarmer opened this issue Oct 23, 2018 · 3 comments

Comments

@carsonfarmer
Copy link
Member

commented Oct 23, 2018

We should just move to reading 44 bytes from crypto/rand Reader and be done with it. This gives us a cryptographically secure random number generator, even on mobile.

@sanderpick

This comment has been minimized.

Copy link
Member

commented Oct 23, 2018

Ah yeah, duh... relic from lazily wanting a pre-utf8 compatible AES key. We can just base58 encode the random bytes when we need it as a string for URL parameters.

@sanderpick sanderpick changed the title Switch to crypto random bytes (`crypto/rand Reader`) for AES-GSM keys Remove time component from for AES-GSM keys Oct 24, 2018

sanderpick added a commit that referenced this issue Oct 24, 2018

fix(crypto): kill lazy ksuid usage in AES keys [skip ci]
This was a pretty silly way to avoid dealing with string encoding. Of course, I didn't come back and
fix it until after someone else noticed ;) With this change plus the thread encryption updates in
05a269c, we'd be ready for an actual security review.

fixes #326
@sanderpick

This comment has been minimized.

Copy link
Member

commented Oct 24, 2018

done in 386b63c

@carsonfarmer

This comment has been minimized.

Copy link
Member Author

commented Oct 24, 2018

Thanks for the quick turnaround on that one @sanderpick:

With this change plus the thread encryption updates in 05a269c, we'd be ready for an actual security review.

For those following along at home, this fix should make it into release once #300 is done and merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.