Generating Unique Keys

Paul Rubin phr-n2003b at NOSPAMnightsong.com
Tue Jan 28 01:23:36 CET 2003


Tim Peters <tim.one at comcast.net> writes:

> [Paul Rubin]
> > Yes.  Mersenne Twister tries to have good statistical properties so
> > that your simulations won't be biased by accident.  But it makes no
> > attempt at all to thwart malicious attacks.  Also, the implementations
> > I've seen (I haven't looked at 2.3's) use just a 32-bit initial seed,
> > so it's fairly quick for an attacker to search this whole 32-bit space.
> 
> You can pass a long (unbounded) int to 2.3's seed(), and all bits are used,
> via the original authors' initialize-from-array-of-uint32 routine (the
> absolute value of the Python long is broken into 32-bit chunks for this
> purpose).

Thanks.  Note that the security of this scheme still depends on
getting an unguessable int to use as a seed, which is NOT an easy
thing to do.

If you have a way of getting a unique integer (say an increasing
sequence), a very simple way to turn it into an unguessable token is:

   import sha

   # make some secret string that's part of your server configuration
   # do NOT reveal it to attackers ;-)
   secret_prefix = "some fixed secret string--swordfish orangutan zorkmid"

   # and then to make a token
   token = sha.new(secret_prefix + str(unique_integer)).hexdigest()




More information about the Python-list mailing list