Generating Unique Keys
Chad Netzer
cnetzer at mail.arc.nasa.gov
Mon Jan 27 17:05:07 EST 2003
On Saturday 25 January 2003 14:10, Paul Rubin wrote:
> Mongryong <Mongryong at sympatico.ca> writes:
> > Even with a 'randomly' generated session key, a malicious user can
> > still steal the session key of a active user.
>
> How?
By correctly guessing all aspects of the session key. Especially if
the server doesn't have a way of detecting attempts at forgery, this is
pretty straightforward (and not uncommon on many services that attempt
to invent their own authentication, validation, etc.)
In this case, it depends on on the implementation of random().
Python's default random.random() is NOT anywhere near unpredictable
enough to be secure. If you see a sequence of random numbers, it is
possible (in principle) to 'solve' the seed and sequence, and start
predicting the next random numbers. The details typically amount to
solving a linear difference equation (which is doable).
Using a random number generator based on a cryptographic hash,
preferably with some real randomness thrown in, is a better approach
for security. Linux, and other Unix operating systems, will (often)
have this built into /dev/random, /dev/urandom, etc. I'm not sure how
it is done on Windows (but there may be thrid party software to do the
same thing)
Cryptography texts will pick up where I left off. But in the simplest
case, doing a MD5 or SHA hash of several random.random() numbers, and
using THAT as the 'random' number, will be a vast improvement over
using just the raw random.random() numbers themselves.
--
Bay Area Python Interest Group - http://www.baypiggies.net/
Chad Netzer
(any opinion expressed is my own and not NASA's or my employer's)
More information about the Python-list
mailing list