Generating Unique Keys

Chad Netzer cnetzer at mail.arc.nasa.gov
Tue Jan 28 22:25:29 CET 2003


On Tuesday 28 January 2003 12:45, Paul Rubin wrote:
> trevp at trevp.net (Trevor Perrin) writes:

> > And it would be better to generate the secret_prefix as a good
> > random number on system startup, not bake it into a configuration.
>
> If you've got a source of good random numbers, you can just use them
> directly as tokens and not need this hashing stuff.

??? - Surely you must assume that Trevor was talking about normal 
pseudo-random number generators (not cryptographically secure, or true 
entropy based random numbers; Trevor, am I correct?).  The point is 
that one is not always sure of the "randomness" of numbers on different 
platforms, and simple pseudo-random number generators are generally 
much more prevalent.

In which case, one absolutely does need some form of additional 
processing (hashing or otherwise) to insure reasonable security.  If 
Trevor had meant true random numbers, then the whole thread is moot.  
They could be used directly without being guessed, although that has 
limitations as well (The server has a harder time keeping track of all 
the used sequence numbers and the number generator cannot be used to 
"replay" them)

In general, for these types of things, the approach I've seen and heard 
of most is to use a random (ideally truly random) starting secret, and 
chains of cryptographic hash sequences (with periodic re-seeding).

-- 
Bay Area Python Interest Group - http://www.baypiggies.net/

Chad Netzer
(any opinion expressed is my own and not NASA's or my employer's)





More information about the Python-list mailing list