[ python-Bugs-1680034 ] Importing SystemRandom wastes entropy.
SourceForge.net
noreply at sourceforge.net
Tue Mar 13 20:08:28 CET 2007
Bugs item #1680034, was opened at 2007-03-13 17:17
Message generated for change (Comment added) made by stephent98
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1680034&group_id=5470
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Python Library
Group: Python 2.4
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Steve Tyler (stephent98)
Assigned to: Nobody/Anonymous (nobody)
Summary: Importing SystemRandom wastes entropy.
Initial Comment:
Importing SystemRandom wastes entropy.
The strace snippet shows a 16 byte read from /dev/urandom, which is presumably done to seed a random number generator. However SystemRandom does not need a seed, so the read is not needed.
test case:
#!/usr/bin/python
from random import SystemRandom
strace snippet:
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 4
read(4, "\\\333\277Q\243>K\350 \321\316\26_\271\364~", 16) = 16
close(4) = 0
Python version:
python-2.4.4-1.fc6 (Fedora Core 6)
----------------------------------------------------------------------
>Comment By: Steve Tyler (stephent98)
Date: 2007-03-13 19:08
Message:
Logged In: YES
user_id=1741843
Originator: YES
Here is a little more background on why wasting entropy is a problem.
"When accessed as /dev/urandom, as many bytes as are requested are
returned even when the entropy pool is exhausted."
http://www.linux.com/howtos/Secure-Programs-HOWTO/random-numbers.shtml
When the entropy pool is exhausted, the Linux RNG (accessed via
/dev/urandom) behaves like a pseudo-random number generator, which is not
acceptable for cryptographic applications such as password generators.
Analysis of the Linux Random Number Generator
http://www.pinkas.net/PAPERS/gpr06.pdf
Of course one can work around this issue by not using the "random" module
and accessing /dev/urandom or /dev/random directly.
For some perspective, simply importing the gnome.ui module consumes 4096
bytes of random data in a library I have not been able to completely
identify. (I don't think it is Python, though.)
----------------------------------------------------------------------
Comment By: Steve Tyler (stephent98)
Date: 2007-03-13 18:30
Message:
Logged In: YES
user_id=1741843
Originator: YES
Entropy is not an unlimited quantity,
therefore the existing behavior is undesirable.
My app is a random password generator which may need the entropy for
itself.
https://sourceforge.net/projects/gnome-password/
----------------------------------------------------------------------
Comment By: Georg Brandl (gbrandl)
Date: 2007-03-13 17:32
Message:
Logged In: YES
user_id=849994
Originator: NO
This is not caused by SystemRandom, but by instantiating (and thereby
seeding) the normal (Mersenne Twister) random number generator, which is
done automatically when random is imported.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1680034&group_id=5470
More information about the Python-bugs-list
mailing list