<p dir="ltr">On Jun 16, 2016 1:23 AM, "Stefan Krah" <<a href="mailto:stefan@bytereef.org">stefan@bytereef.org</a>> wrote:<br>
><br>
> Nathaniel Smith <njs <at> <a href="http://pobox.com">pobox.com</a>> writes:<br>
> > In practice, your proposal means that ~all existing code that uses<br>
> > os.urandom becomes incorrect and should be switched to either secrets<br>
> > or random. This is *far* more churn for end-users than Nick's<br>
> > proposal.<br>
><br>
> This should only concern code that a) was specifically written for<br>
> 3.5.0/3.5.1 and b) implements a serious cryptographic application<br>
> in Python.<br>
><br>
> I think b) is not a good idea anyway due to timing and side channel<br>
> attacks and the lack of secure wiping of memory. Such applications<br>
> should be written in C, where one does not have to predict the<br>
> behavior of multiple layers of abstractions.</p>
<p dir="ltr">This is completely unhelpful. Firstly because it's an argument that os.urandom and the secrets module shouldn't exist, which doesn't tell is much about what their behavior should be given that they do exist, and secondly because it fundamentally misunderstands why they exist.</p>
<p dir="ltr">The word "cryptographic" here is a bit of a red herring. The guarantee that a CSPRNG makes is that the output should be *unguessable by third parties*. There are plenty of times when this is what you need even when you aren't using actual cryptography. For example, when someone logs into a web app, I may want to send back a session cookie so that I can recognize this person later without making then reauthenticate all the time. For this to work securely, it's extremely important that no one else be able to predict what session cookie I sent, because if you can guess the cookie then you can impersonate the user.</p>
<p dir="ltr">In python 2.3-3.5, the most correct way to write this code is to use os.urandom. The question in this thread is whether we should break that in 3.6, so that conscientious users are forced to switch existing code over to using the secrets module if they want to continue to get the most correct available behavior, or whether we should preserve that in 3.6, so that code like my hypothetical web app that was correct on 2.3-3.5 remains correct on 3.6 (with the secrets module being a more friendly wrapper that we recommend for new code, but with no urgency about porting existing code to it).</p>
<p dir="ltr">-n</p>