Is that safe to use ramdom.random() for key to encrypt?
Paul Rubin
no.email at nospam.invalid
Sun Jun 17 19:48:48 EDT 2012
Steven D'Aprano <steve+comp.lang.python at pearwood.info> writes:
>> /dev/urandom isn't actually cryptographically secure; it promises not to
>> block, even if it has insufficient entropy. But in your instance...
>
> Correct. /dev/random is meant to be used for long-lasting
> cryptographically-significant uses, such as keys. urandom is not.
They are both ill-advised if you're doing anything really serious. In
practice if enough entropy has been in the system to make a key with
/dev/random, then urandom should also be ok. Unfortunately the sensible
interface is missing: block until there's enough entropy, then generate
data cryptographically, folding in new entropy when it's available.
http://web.archive.org/web/20081003041432/http://www.pinkas.net/PAPERS/gpr06.pdf
has gory details of how random/urandom work.
If you're really paranoid, get one of these: http://www.entropykey.co.uk/
More information about the Python-list
mailing list