Uploaded image for project: 'MusicBrainz Server'
  1. MusicBrainz Server
  2. MBS-7461

Remember-me token has less than the advertised entropy

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2014-09-15
    • Component/s: Accounts
    • Labels:
      None

      Description

      allocate_remember_me_token contains this code:

      # Generate a 128-bit token. irand is 32-bit.
      my $token = join('', map { '' . Math::Random::Secure::irand() } (0 .. 3));
      

      This doesn't provide what it advertises, i.e. 128 bit of entropy, because multiple quadruples of 32-bit numbers map to the same token (e.g. 12, 34, 56, 78 and 1, 234, 567, 8 have the same concatenation).

      It's not a problem in practice since it's still worth more than 126 bits. It doesn't look good, though.

        Attachments

          Activity

            People

            • Assignee:
              chirlu Ulrich Klauer
              Reporter:
              chirlu Ulrich Klauer
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Due:
                Created:
                Updated:
                Resolved:

                Packages

                Version Package
                2014-09-15