[Python-ideas] PEP 504: Using the system RNG by default

Stephen J. Turnbull stephen at xemacs.org
Wed Sep 16 06:47:25 CEST 2015

Tim Peters writes:
 > [Stephen J. Turnbull <stephen at xemacs.org>]
 > > ...
 > > (2) ISTM there are no likely attack vectors due to choice of default
 > >     RNG in random.random, based on Tim's analysis, but AFAICS he's
 > >     unwilling to say it's implausible that they exist.  (Sorry for the
 > >     double negative!)  I take this to mean that there may be real risk.
 > Oh, _many_ attacks are possible.  Many are even plausible.  For
 > example, while Python's _default_ seeding is based on urandom()
 > setting MT's entire massive state (no more secure way exists), a user
 > making up their own seed is quite likely to do so in a way vulnerable
 > to a "poor seeding" attack.

I'm not sure what you mean to say, but I don't count that as "due to
choice of default RNG".  That's foot-shooting of the kind we can't do
anything about anyway, and if *that* is what Nick is worried about,
I'm worried about Nick. ;-)

*I* am more worried about attacks we don't know about yet (or at least
haven't been mentioned in this thread), and maybe even haven't been
invented yet.  I presume Nick is, too.

 > "Password generators" should be the least of our worries.  Best I can
 > tell, the PHP paper's highly technical MT attack against those has
 > scant chance of working in Python except when random.choice(x) is
 > known to have len(x) a power of 2.

That's genuinely comforting to read (even though it's the second or
third time I've read it ;-).  But I'm still nervous about the unknown.

More information about the Python-ideas mailing list