Password validation security issue
Steven D'Aprano
steve+comp.lang.python at pearwood.info
Sun Mar 2 21:30:52 EST 2014
On Sun, 02 Mar 2014 15:10:06 -0800, Renato wrote:
> I would like to thank every one who posted a reply. I learnt a lot from
> you, guys! I appreciate your attention and your help :)
>
> I took a class on Computer Simulation last year. It was told that
> deterministic (pseudo-)random numbers are excellent for simulations,
> because they allow debugging and replication when using a seed(). But it
> was said that deterministic random numbers weren't indeed suitable for
> encryption and security issues in general. For this purpose,
> non-deterministc stochastic methods would be more indicated.
Either you have misunderstood, or you have been told something incorrect.
You don't in general want non-deterministic stochastic randomness,
because you can't control it and you can't make any guarantees about it.
Stochastic randomness nearly always has deviations from uniformity which
can be exploited, that is, it is less random than you might think. For
example:
http://www.newscientist.com/article/mg21428644.500-roulette-beater-spills-
physics-behind-victory.html
http://en.wikipedia.org/wiki/Eudaemons
Nor do should you use deterministic PRNGs like the Mersenne Twister, not
because they are deterministic, but because they aren't cryptographically
strong.
The right approach is to use a deterministic PRNG which is deliberately
designed for use in cryptographic applications, and then add in a source
of entropy (which might be non-deterministic, like thermal noise or the
output of radioactive decay). On Unix systems, the OS already does this
for you:
http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/
> One last thing, about my original question. So, the only way of
> encapsulating a Python script content is to code a simple binary program
> to call it?
I don't understand this question. Can you explain more?
--
Steven D'Aprano
http://import-that.dreamwidth.org/
More information about the Python-list
mailing list