[Python-ideas] Should our default random number generator be secure?
M.-A. Lemburg
mal at egenix.com
Thu Sep 10 10:26:23 CEST 2015
Reading this thread is fun, but it doesn't seem to be getting
anywhere - perhaps that's part of the fun ;-)
Realistically, I see two options:
1. Someone goes and implements the OpenBSD random function in C
and put a package up on PyPI, updating it whenever OpenBSD
thinks that a new algorithm is needed or a security issue
has to be fixed (from my experience with other crypto software
like OpenSSL, this should be on the order of every 2-6 months ;-))
2. Ditto, but we put the module in the stdlib and then run around
issuing patch level security releases every 2-6 months.
Replacing our deterministic default PRNG with a non-deterministic
one doesn't really fly, since we'd break an important feature
of random.random(). You may remember that we already ran a similar
stunt with the string hash function, with very mixed results.
Calling the result of such a switch-over "secure" is even
worse, since it's a promise we cannot keep (probably not even
fully define). Better leave the promise at "insecure" - that's
something we can promise forever and don't have to define :-)
Regardless of what we end up with, I think Python land can do
better than name it "arc4random". We're great at bike shedding,
so how about we start the fun with "randomYMMV" :-)
Overall, I think having more options for good PRNGs is great.
Whether this "arc4random" is any good remains to be seen, but
given that OpenBSD developed it, chances are higher than
usual.
--
Marc-Andre Lemburg
eGenix.com
Professional Python Services directly from the Source (#1, Sep 10 2015)
>>> Python Projects, Coaching and Consulting ... http://www.egenix.com/
>>> mxODBC Plone/Zope Database Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
________________________________________________________________________
2015-09-18: PyCon UK 2015 ... 8 days to go
::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
http://www.egenix.com/company/contact/
More information about the Python-ideas
mailing list