[Python-ideas] PEP 504: Using the system RNG by default
Stephen J. Turnbull
stephen at xemacs.org
Wed Sep 16 06:47:25 CEST 2015
Tim Peters writes:
> [Stephen J. Turnbull <stephen at xemacs.org>]
> > ...
> > (2) ISTM there are no likely attack vectors due to choice of default
> > RNG in random.random, based on Tim's analysis, but AFAICS he's
> > unwilling to say it's implausible that they exist. (Sorry for the
> > double negative!) I take this to mean that there may be real risk.
>
> Oh, _many_ attacks are possible. Many are even plausible. For
> example, while Python's _default_ seeding is based on urandom()
> setting MT's entire massive state (no more secure way exists), a user
> making up their own seed is quite likely to do so in a way vulnerable
> to a "poor seeding" attack.
I'm not sure what you mean to say, but I don't count that as "due to
choice of default RNG". That's foot-shooting of the kind we can't do
anything about anyway, and if *that* is what Nick is worried about,
I'm worried about Nick. ;-)
*I* am more worried about attacks we don't know about yet (or at least
haven't been mentioned in this thread), and maybe even haven't been
invented yet. I presume Nick is, too.
> "Password generators" should be the least of our worries. Best I can
> tell, the PHP paper's highly technical MT attack against those has
> scant chance of working in Python except when random.choice(x) is
> known to have len(x) a power of 2.
That's genuinely comforting to read (even though it's the second or
third time I've read it ;-). But I'm still nervous about the unknown.
More information about the Python-ideas
mailing list