[Python-ideas] Should our default random number generator be secure?
Nikolaus Rath
Nikolaus at rath.org
Mon Sep 14 20:32:26 CEST 2015
On Sep 14 2015, "M.-A. Lemburg" <mal-SVD0I98eSHvQT0dZR+AlfA at public.gmane.org> wrote:
>>> Code which uses the output from an RNG as session id without adding
>>> any additional security measures is broken, regardless of what kind
>>> of RNG you are using. I bet such code will also take any session id
>>> it receives as cookie and trust it without applying extra checks
>>> on it.
>>
>> Yes, that's... generally the thing you do with session cookies?
>> They're shared secret string that you use as keys into some sort of
>> server-side session database? What extra checks need to be applied?
>
> You will at least want to add checks that the session id string was
> indeed generated by the server and not some bot trying to
> find valid session ids, e.g. by signing the session id and
> checking the sig on incoming requests.
The chance of a bot hitting a valid (randomly generated) session key by
chance should be just as high as the bot generating a correctly signed
session key by chance, if I'm not mistaken.
(Assuming, of course, that the completely random key has the same number
of bits as they other key + signature).
Best,
-Nikolaus
--
GPG encrypted emails preferred. Key id: 0xD113FCAC3C4E599F
Fingerprint: ED31 791B 2C5C 1613 AF38 8B8A D113 FCAC 3C4E 599F
»Time flies like an arrow, fruit flies like a Banana.«
More information about the Python-ideas
mailing list