[Python-ideas] Should our default random number generator be secure?

Guido van Rossum guido at python.org
Wed Sep 9 18:35:12 CEST 2015

I've received several long emails from Theo de Raadt (OpenBSD founder)
about Python's default random number generator. This is the random module,
and it defaults to a Mersenne Twister (MT) seeded by 2500 bytes of entropy
taken from os.urandom().

Theo's worry is that while the starting seed is fine, MT is not good when
random numbers are used for crypto and other security purposes. I've
countered that it's not meant for that (you should use
random.SystemRandom() or os.urandom() for that) but he counters that people
don't necessarily know that and are using the default random.random() setup
for security purposes without realizing how wrong that is.

There is already a warning in the docs for the random module that it's not
suitable for security, but -- as the meme goes -- nobody reads the docs.

Theo then went into technicalities that went straight over my head,
concluding with a strongly worded recommendation of the OpenBSD version of
arc4random() (which IIUC is based on something called "chacha", not on
"RC4" despite that being in the name). He says it is very fast (but I don't
know what that means).

I've invited Theo to join this list but he's too busy. The two core Python
experts on the random module have given me opinions suggesting that there's
not much wrong with MT, so here I am. Who is right? What should we do? Is
there anything we need to do?

--Guido van Rossum (python.org/~guido)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20150909/3cab00ac/attachment-0001.html>

More information about the Python-ideas mailing list