[Python-ideas] PEP 504: Using the system RNG by default

Tim Peters tim.peters at gmail.com
Wed Sep 16 05:14:12 CEST 2015


[Stephen J. Turnbull <stephen at xemacs.org>]
> ...
> (2) ISTM there are no likely attack vectors due to choice of default
>     RNG in random.random, based on Tim's analysis, but AFAICS he's
>     unwilling to say it's implausible that they exist.  (Sorry for the
>     double negative!)  I take this to mean that there may be real risk.

Oh, _many_ attacks are possible.  Many are even plausible.  For
example, while Python's _default_ seeding is based on urandom()
setting MT's entire massive state (no more secure way exists), a user
making up their own seed is quite likely to do so in a way vulnerable
to a "poor seeding" attack.

"Password generators" should be the least of our worries.  Best I can
tell, the PHP paper's highly technical MT attack against those has
scant chance of working in Python except when random.choice(x) is
known to have len(x) a power of 2.  Then it's a very powerful attack.
But in PHP's idiomatic way of spelling random.choice(x) ("by hand",
spelled out in the paper), it's _always_ a very powerful attack.

In general, the more technical the attack, the more details matter.
It's just no _fun_ to drone on about simple universally applicable
brute-force attacks, so I'll continue to drone on about the PHP
paper's sophisticated MT state-deducer ;-)


More information about the Python-ideas mailing list