Comments (3)
I've modified lines
85
trezor_entropy = client.get_entropy(32).encode('hex')
86
urandom_entropy = os.urandom(32).encode('hex')
110
print passw.encode('hex')
Although perhaps only the 3rd edit is required.
Please confirm action on your device. 28bee36480aaf1dec7137fbdc0b0e5d0cfde58295f1f47cdc63dfa8af695fbbb
Edit : base64 encoding is probably a better choice
print passw.encode('base64')
from python-trezor.
This is not actually a vulnerability. Rather than looking at the output, look at the code to determine if this is secure.
trezor_entropy = client.get_entropy(32)
urandom_entropy = os.urandom(32)
passw = hashlib.sha256(trezor_entropy + urandom_entropy).digest()
So the fact that passw is often short, does not affect the security of this. By examining the code one can see that this is made up of combining two sources of entropy, both 32 bytes of randomness, and hashing them. The length of the output is irrelevant. There is plenty of randomness in this case.
The perceived vulnerability is due to the output of passw not being stored as as base64 encoded string. It is not actually made up of question marks, those are due to your computer not understanding how to interpret the data as a string.
Encoding passw in base64 or hex does not improve the security of anything. Instead it improves the perceived security of it if you look at the output. But for anyone trying to brute force it, this will not change anything. It would just forced them to generate random values that are base64 encoded instead.
from python-trezor.
Right. Autogenerated password is binary.
from python-trezor.
Related Issues (20)
- Why is the v1 protocol forced for HID devices? HOT 2
- Update Error HOT 1
- ./trezorctl sign-tx non functional for most networks HOT 1
- tx_api.get_tx incompatible with current blockbook
- test sometimes fail with "Unsupported device" HOT 1
- Don't show PIN matrix for Trezor T when changing PIN
- Add a test case for segwit inputs/outputs with very high amounts
- zcash sapling not supported in 0.10.2 HOT 2
- Ethereum transaction fails to generate raw transaction HOT 2
- add monero_get_address to trezorctl HOT 1
- Travis CL seems to be failing 10.x PRs due to Py3.4 requirements HOT 1
- Use ChoiceType for set_passphrase_source HOT 1
- ethereum-sign-tx does not work
- Can't sign Ethereum transaction offline on v0.11.2 HOT 2
- Is there a way to restore seed words in scrambled order? HOT 7
- Trezor passphrase keyboard HOT 1
- wipe-device hangs after confirming on device HOT 3
- trezorlib ethereum.get_address returns None HOT 1
- MINIMUM_FIRMWARE_VERSION issues HOT 2
- python-trezor 0.11.3 released on PyPI but not tagged here HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from python-trezor.