AESContext i think the example is slightly dangerous #9226

RichardEllicott · 2024-04-14T01:54:30Z

in the example it is slightly dangerous:

https://docs.godotengine.org/en/stable/classes/class_aescontext.html

the line:
var iv = "My secret iv!!!!" # IV must be of exactly 16 bytes.

the iv in reality is supposed to be changed random each time you send out an encrypted piece of information... this prevents certain types of attacks. The IV is sent unencrypted along with the encrypted data. So an attacker can see the IV each time but it should be random..... i guess this is irritating but i had to make a little function:

static func get_random_bytes(count: int) -> PackedByteArray:
    randomize()
    var bytes = PackedByteArray()
    bytes.resize(count) 
    for i in count:
        bytes[i] = randi() % 255
    return bytes

CBC in the example is the best choice, the ECB i belive is pretty much obsolete

so i don't know if you can hold the users hand, but it's just a potential security loophole if someone follows the example

The text was updated successfully, but these errors were encountered:

RichardEllicott added the enhancement label Apr 14, 2024

skyace65 added the area:class reference Issues and PRs about the class reference, which should be addressed on the Godot engine repository label Apr 14, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

AESContext i think the example is slightly dangerous #9226

AESContext i think the example is slightly dangerous #9226

RichardEllicott commented Apr 14, 2024 •

edited

AESContext i think the example is slightly dangerous #9226

AESContext i think the example is slightly dangerous #9226

Comments

RichardEllicott commented Apr 14, 2024 • edited

RichardEllicott commented Apr 14, 2024 •

edited