Skip to content

fix: use random nonce per call in AES-GCM onboarding signature#270

Merged
ankitdas13 merged 1 commit into
masterfrom
fix/aes-gcm-nonce-reuse
Jun 8, 2026
Merged

fix: use random nonce per call in AES-GCM onboarding signature#270
ankitdas13 merged 1 commit into
masterfrom
fix/aes-gcm-nonce-reuse

Conversation

@rzp-slash

@rzp-slash rzp-slash Bot commented Jun 3, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

  • Updated generate_onboarding_signature to use a random 12-byte IV per encryption call instead of a static IV.
  • New output format: hex(iv[12 bytes] || ciphertext || tag[16 bytes])

Changes

  • Generate a fresh random nonce on every encryption call
  • Prepend the IV to the output so the receiver can extract it for decryption

Companion PRs (same fix across all partner SDKs)

Test plan

  • Verify generate_onboarding_signature produces a different hex string on every call with the same input
  • Verify Razorpay backend successfully decrypts the new format

🤖 Generated with Claude Code

@ankitdas13
fix: use random nonce per call in AES-GCM onboarding signature
ac3bc4b 
Replaces the static IV (first 12 bytes of the secret) with OpenSSL::Random.random_bytes(12) generated fresh for every encryption call.

The old approach caused AES-GCM nonce reuse: an attacker who collects two onboarding_signature values from partner URLs can XOR the ciphertexts to cancel the keystream and forge a valid signature for any submerchant ID without knowing the partner secret key (NIST SP 800-38D §8.3 Forbidden Attack).

New output format: hex(iv[12] || ciphertext || tag[16])
The receiver reads the first 24 hex chars as the IV before decrypting.

Reported via HackerOne #3754503 (ISS-2528895), SLA: 2026-06-05.

Co-authored-by: ankitdas13 <ankit.das@razorpay.com>
@ankitdas13 ankitdas13 self-requested a review June 8, 2026 13:12
@ankitdas13 ankitdas13 added the TestingNotRequired TestingNotRequired label for BVT label Jun 8, 2026
ankitdas13
ankitdas13 approved these changes Jun 8, 2026
View reviewed changes

@ankitdas13 ankitdas13 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ankitdas13 ankitdas13 merged commit 741553f into master Jun 8, 2026
4 of 6 checks passed
@ankitdas13 ankitdas13 mentioned this pull request Jun 8, 2026
Merged
3 tasks
This was referenced Jun 9, 2026
Open
Merged
Merged
@rzp-slash rzp-slash Bot changed the title fix: use random nonce per call in AES-GCM onboarding signature (ISS-2528895) fix: use random nonce per call in AES-GCM onboarding signature Jun 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ankitdas13 ankitdas13 ankitdas13 approved these changes

Assignees

@ankitdas13 ankitdas13

Labels

TestingNotRequired TestingNotRequired label for BVT

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ankitdas13