[Python-ideas] Should our default random number generator be secure?
Robert Kern
robert.kern at gmail.com
Wed Sep 16 10:11:12 CEST 2015
On 2015-09-16 01:43, Tim Peters wrote:
> ...
>
> [Marc-Andre]
>> Ah, now we're getting somewhere :-)
>>
>> If we accept that non-guessable, but deterministic is a good
>> compromise, then adding a cipher behind MT sounds like a reasonable
>> way forward, even as default.
>>
>> For full crypto strength, people would still have to rely on
>> solutions like /dev/urandom or the OpenSSL one (or reseed the
>> default RNG every now and then). All others get the benefit of
>> non-guessable, but keep the ability to seed the default RNG in
>> Python.
>
> I expect the only real reason "new entropy" is periodically mixed in
> to OpenBSD's arc4random() is to guard against that a weakness in
> ChaCha20 may be discovered later. If there were any known
> computationally feasible way whatsoever to distinguish bare-bones
> ChaCha20's output from a "truly random" sequence, it wouldn't be
> called "crypto" to begin with.
Periodic reseeding also serves to guard against other leaks of information about
the underlying state that don't come from breaking through the cipher. If an
attacker manages to deduce the state through side channels, timing attacks on
the machine, brief physical access, whatever, then reseeding with new entropy
will limit the damage rather than blithely continuing on with a compromised
state forever.
It's an important feature of a CSPRNG. Using a crypto output function in your
PRNG is a necessary but not sufficient condition for security.
--
Robert Kern
"I have come to believe that the whole world is an enigma, a harmless enigma
that is made terrible by our own mad attempt to interpret it as though it had
an underlying truth."
-- Umberto Eco
More information about the Python-ideas
mailing list