Skip to content

Entropy pool security flaw fix and enhancements

Pre-release
Pre-release
Compare
Choose a tag to compare
@chris47368 chris47368 released this 02 Aug 00:50
· 28 commits to main since this release
4.87
a3434e0
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

######Security flaw fix######

  • A bug was introduced where in SLASH 4.86 that the bitrate portion(output) of the Slash hash internal state was effectively erased on the first of two runs between each entropy capture/generation cycle. This has been fixed via creating a temporary instance of slash hash, feeding the current entropy pool, time and milliseconds since program was opened into this temporary instance to create an intermediate hash. This intermediate hash will then be inputted into the permanent instance(entropy producing version) of slash hash to create the final new entropy pool state.
    The security impact of this bug on entropy generation was Moderate - only affects SLASH 4.86

######Enhancements in entropy pool generation######

  • Entropy pool generation now has its own module file, instead of the subroutine being contained in Start.vb(the first form that opens, giving choice between text or file encryption/decryption)

  • The time for entropy generation is now captured as DateTime.UtcNow as opposed to DateTime.Now

Backwards compatible encryption/decryption with previous versions of SLASH 4.8x releases.

Please update to SLASH 4.87 due to mentioned security flaw with SLASH 4.86!

Assets 3
Loading