[Python-ideas] PEP 504: Using the system RNG by default
Tim Peters
tim.peters at gmail.com
Wed Sep 16 05:14:12 CEST 2015
[Stephen J. Turnbull <stephen at xemacs.org>]
> ...
> (2) ISTM there are no likely attack vectors due to choice of default
> RNG in random.random, based on Tim's analysis, but AFAICS he's
> unwilling to say it's implausible that they exist. (Sorry for the
> double negative!) I take this to mean that there may be real risk.
Oh, _many_ attacks are possible. Many are even plausible. For
example, while Python's _default_ seeding is based on urandom()
setting MT's entire massive state (no more secure way exists), a user
making up their own seed is quite likely to do so in a way vulnerable
to a "poor seeding" attack.
"Password generators" should be the least of our worries. Best I can
tell, the PHP paper's highly technical MT attack against those has
scant chance of working in Python except when random.choice(x) is
known to have len(x) a power of 2. Then it's a very powerful attack.
But in PHP's idiomatic way of spelling random.choice(x) ("by hand",
spelled out in the paper), it's _always_ a very powerful attack.
In general, the more technical the attack, the more details matter.
It's just no _fun_ to drone on about simple universally applicable
brute-force attacks, so I'll continue to drone on about the PHP
paper's sophisticated MT state-deducer ;-)
More information about the Python-ideas
mailing list