Cryptographic API Misuse Vulnerability: Do not use insecure pseudo random number generator(PRNG) in a security context

[gxx777]

Hello!
First and foremost, I would like to express my sincere gratitude for your contributions to this project.

Description:

I have identified a security vulnerability in solcrypto project's about insecure PNRG.

PRNGs are used to generate random numbers that are unpredictable and uniformly distributed. However, some PRNGs are not truly random and can be predicted or reproduced, which can compromise the security of cryptographic applications that rely on them, such as key derivation, encryption, or digital signatures. Examples of insecure PRNGs are random.randbytes, or random.randint. These PRNGs should not be used in a security context and replaced by more secure ones, such as secrets.token_bytes, or os.urandom. It corresponds to CWE-338: Use of Cryptographically Weak PRNG.

Locations:

solcrypto/pysolcrypto/polyhash.py

Line 56 in 3c59250

key = randint(2, field_modulus - 2)

solcrypto/pysolcrypto/polyhash.py

Line 57 in 3c59250

nonce = randint(2, field_modulus - 2)

References:

CWE-338: Use of Cryptographically Weak PRNG.

Recommendations:

Random IV Generation: Implement a secure random salt generator , such as secrets library.

Immediate attention to this issue is recommended to maintain the privacy and security of solcrypto users.