[Python-ideas] Should our default random number generator be secure?

M.-A. Lemburg mal at egenix.com
Mon Sep 14 12:37:52 CEST 2015

On 14.09.2015 08:38, Nathaniel Smith wrote:
> If Tim Peters can get fooled
> into thinking something like using MT to generate session ids is
> "probably mostly secure", then what chance do the rest of us have?
> <wink>

I don't think that Tim can get fooled into believing he is a
crypto wonk ;-)

The thread reveals another misunderstanding:

 Broken code doesn't get any better when you change the context
 in which it is run.

By fixing the RNG used in such broken code and making it
harder to run attacks, you are only changing the context in which
the code is run. The code itself still remains broken.

Code which uses the output from an RNG as session id without adding
any additional security measures is broken, regardless of what kind
of RNG you are using. I bet such code will also take any session id
it receives as cookie and trust it without applying extra checks
on it.

Rather than trying to fix up the default RNG in Python by replacing
it with a crypto RNG, it's better to open bug reports to get the
broken software fixed.

Replacing the default Python RNG with a new unstudied crypto one,
will likely introduce problems into working code which rightly
assumes the proven statistical properties of the MT.

Just think of the consequences of adding unwanted bias to simulations.
This is far more likely to go unnoticed than a session highjack due
to a broken system and can easily cost millions (or earn you
millions - it's all probability after all :-)).

Now, pointing people who write broken code to a new module which
provides a crypto RNG probably isn't much better either. They'd feel
instantly secure because it says "crypto" on the box and forget
about redesigning their insecure protocol as well. Nothing much you
can do about that, I'm afraid.

Too easy sometimes is too easy indeed ;-)

Marc-Andre Lemburg

Professional Python Services directly from the Experts (#1, Sep 14 2015)
>>> Python Projects, Coaching and Consulting ...  http://www.egenix.com/
>>> mxODBC Connect Remote DB-API ...          http://connect.egenix.com/
>>> mxODBC Python Database Interface ...       http://mxodbc.egenix.com/
>>> mxODBC Plone/Zope Database Adapter ...       http://zope.egenix.com/
2015-09-14: Released mxODBC Plone/Zope DA 2.2.3   http://egenix.com/go84
2015-09-18: PyCon UK 2015 ...                               4 days to go
2015-09-26: Python Meeting Duesseldorf Sprint 2015         12 days to go

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611

More information about the Python-ideas mailing list