From 88a2ca8ff50f653da5744c05f613424df51f24ef Mon Sep 17 00:00:00 2001
From: Ian Shim <100327837+ian-shim@users.noreply.github.com>
Date: Thu, 24 Oct 2024 09:31:40 -0700
Subject: [PATCH] Replace `math/rand` with `crypto/rand` for generating
 challenge (#829)

---
 disperser/apiserver/server.go | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/disperser/apiserver/server.go b/disperser/apiserver/server.go
index 436ac2d8c5..0c271b372a 100644
--- a/disperser/apiserver/server.go
+++ b/disperser/apiserver/server.go
@@ -2,9 +2,10 @@ package apiserver
 
 import (
 	"context"
+	"crypto/rand"
+	"encoding/binary"
 	"errors"
 	"fmt"
-	"math/rand"
 	"net"
 	"slices"
 	"strings"
@@ -146,7 +147,14 @@ func (s *DispersalServer) DisperseBlobAuthenticated(stream pb.Disperser_Disperse
 	authenticatedAddress := crypto.PubkeyToAddress(*pubKey).String()
 
 	// Send back challenge to client
-	challenge := rand.Uint32()
+	challengeBytes := make([]byte, 32)
+	_, err = rand.Read(challengeBytes)
+	if err != nil {
+		s.metrics.HandleInvalidArgRpcRequest("DisperseBlobAuthenticated")
+		s.metrics.HandleInvalidArgRequest("DisperseBlobAuthenticated")
+		return api.NewInvalidArgError(fmt.Sprintf("failed to generate challenge: %v", err))
+	}
+	challenge := binary.LittleEndian.Uint32(challengeBytes)
 	err = stream.Send(&pb.AuthenticatedReply{Payload: &pb.AuthenticatedReply_BlobAuthHeader{
 		BlobAuthHeader: &pb.BlobAuthHeader{
 			ChallengeParameter: challenge,