Generating Unique Keys
Paul Rubin
phr-n2003b at NOSPAMnightsong.com
Mon Jan 27 19:23:36 EST 2003
Tim Peters <tim.one at comcast.net> writes:
> [Paul Rubin]
> > Yes. Mersenne Twister tries to have good statistical properties so
> > that your simulations won't be biased by accident. But it makes no
> > attempt at all to thwart malicious attacks. Also, the implementations
> > I've seen (I haven't looked at 2.3's) use just a 32-bit initial seed,
> > so it's fairly quick for an attacker to search this whole 32-bit space.
>
> You can pass a long (unbounded) int to 2.3's seed(), and all bits are used,
> via the original authors' initialize-from-array-of-uint32 routine (the
> absolute value of the Python long is broken into 32-bit chunks for this
> purpose).
Thanks. Note that the security of this scheme still depends on
getting an unguessable int to use as a seed, which is NOT an easy
thing to do.
If you have a way of getting a unique integer (say an increasing
sequence), a very simple way to turn it into an unguessable token is:
import sha
# make some secret string that's part of your server configuration
# do NOT reveal it to attackers ;-)
secret_prefix = "some fixed secret string--swordfish orangutan zorkmid"
# and then to make a token
token = sha.new(secret_prefix + str(unique_integer)).hexdigest()
More information about the Python-list
mailing list