Generating Unique Keys
Chad Netzer
cnetzer at mail.arc.nasa.gov
Tue Jan 28 16:25:29 EST 2003
On Tuesday 28 January 2003 12:45, Paul Rubin wrote:
> trevp at trevp.net (Trevor Perrin) writes:
> > And it would be better to generate the secret_prefix as a good
> > random number on system startup, not bake it into a configuration.
>
> If you've got a source of good random numbers, you can just use them
> directly as tokens and not need this hashing stuff.
??? - Surely you must assume that Trevor was talking about normal
pseudo-random number generators (not cryptographically secure, or true
entropy based random numbers; Trevor, am I correct?). The point is
that one is not always sure of the "randomness" of numbers on different
platforms, and simple pseudo-random number generators are generally
much more prevalent.
In which case, one absolutely does need some form of additional
processing (hashing or otherwise) to insure reasonable security. If
Trevor had meant true random numbers, then the whole thread is moot.
They could be used directly without being guessed, although that has
limitations as well (The server has a harder time keeping track of all
the used sequence numbers and the number generator cannot be used to
"replay" them)
In general, for these types of things, the approach I've seen and heard
of most is to use a random (ideally truly random) starting secret, and
chains of cryptographic hash sequences (with periodic re-seeding).
--
Bay Area Python Interest Group - http://www.baypiggies.net/
Chad Netzer
(any opinion expressed is my own and not NASA's or my employer's)
More information about the Python-list
mailing list