Bug#930662: libauth-googleauth-perl: poor source of entropy for secret generation
Raphael Geissert
geissert at debian.org
Mon Jun 17 21:54:31 BST 2019
Package: libauth-googleauth-perl
Version: 1.02-1
Severity: important
Tags: security
Hi,
Auth::GoogleAuth uses the rand function to generate a 16-bytes secret
key for TOTP authentication. Sadly, rand is a poor source of
randomness and unsuitable for crypto-related uses.
Following RFC6238's SHOULDs, Auth::GoogleAuth should use a CSPRNG like
urandom as a source to generate the key, and possibly generate a
20-bytes key to follow a second SHOULD.
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org
More information about the pkg-perl-maintainers
mailing list