search

sakship31 / Text-steganography

Flask website for implementation of paper on text-based steganography i.e. hiding a secret message in a cover message and sending it over social media which in turn can be revealed.
24 stars 7 forks source link

Cryptographic API Misuse Vulnerability: Do not use constant salts for PBE #2

Open gxx777 opened 1 year ago

gxx777 commented 1 year ago

Hello! First and foremost, I would like to express my sincere gratitude for your contributions to this project.

Description:

I have identified a security vulnerability in the Text-steganography project's use of constant salt for PBKDF for key derivation by our cryptographic api misuse detector. The issue is that a constant salt is being used, which can lead to security vulnerabilities.

Locations:

https://github.com/sakship31/Text-steganography/blob/master/AES.py#L7

References:

CWE-330: Use of Insufficiently Random Values

Suggested Fix:

I would recommend using a secure random salt for PBKDF2 key derivation. Here's an example of how to generate a secure random salt:

import os
salt = os.urandom(16)  # 16 bytes (128 bits) is a common choice for a salt length.
oneofthehorses commented 11 months ago

Hello! First and foremost, I would like to express my sincere gratitude for your contributions to this project.

Description:

I have identified a security vulnerability in the Text-steganography project's use of constant salt for PBKDF for key derivation by our cryptographic api misuse detector. The issue is that a constant salt is being used, which can lead to security vulnerabilities.

Locations:

https://github.com/sakship31/Text-steganography/blob/master/AES.py#L7

References:

CWE-330: Use of Insufficiently Random Values

Suggested Fix:

I would recommend using a secure random salt for PBKDF2 key derivation. Here's an example of how to generate a secure random salt:

import os
salt = os.urandom(16)  # 16 bytes (128 bits) is a common choice for a salt length.

Hey! Had you get any answer ? Or made fork of it? Thanks!