Security Bug: low entropy on private key generation

[cryptohazard]

The issue localization:

https://github.com/asuleymanov/rpc/blob/master/keys.go
The issue is in the function init:

func init() {
	seed := time.Now().UnixNano()

	reader := crand.Reader
	i, err := crand.Prime(reader, 64)
	if err != nil {
		seed = seed ^ i.Int64()
	}

	src = rand.NewSource(seed)
}

First security issue: Prime numbers as seed

The first problem is that the seed is initialized with a Prime number. There is actually no need for a prime number for the cryptography. By doing this, we constrain the seed and reduce the interval in which the seed is chosen. For instance the prime number tells you how much prime numbers there is, which is less than 2^64.

Note: This might actually not serve an attacker because of seed := time.Now().UnixNano(). An attacker most likely will just try the 2^64 possible values and this is the main security issue as explain below.

Second issue: 2^64 is too little

The seed is initialized as a 64 bits integer. The state of the art is at least 80 bits(actually it is slowly moving to 112 bits). This is insufficient for an attacker with a computing farm (like a state).

Reference

You can check this link for a comprehensive explanation of security levels:
https://www.cryptopp.com/wiki/Security_Level

How to fix

Don't try to init the random generator and read the bytes directly from golang crypto rand. The seed is , as far as I can tell, properly used to randomly pick each letter of the master password in the rest of the program.
I would also recommend, if anyone used it to generate their keys, to change them as a paranoia measure.