On 07/06/2011 12:40, Jean-Paul Calderone wrote:
astcgi and the
initialization is only carried out once and then say 50 rrr values are
generated.
How much randomness do you actually have in this scheme? The PID is
probably difficult
for an attacker to know, but it's allocated roughly monotonically with
a known
wrap-around value. The time is probably roughly known, so it also
contributes less
than its full bits to the randomness. Only dur is really
unpredictable. So you have
something somewhat above 4 bytes of randomness in your seed - perhaps
8 or 10. That's
much less than even the fairly small 16 bytes of "randomness" you
expose in the
filename.
I'm sure you're right about the limited amount of entropy in the initial state,
but how much state can be in the prng?
The random module is entirely deterministic, so once the seed is known
the value you
produce is known too.
Is 10 bytes enough to thwart your attackers? Hard to say, what does
an attack look like?
An attacker could try to gain information from seeing others' results by
guessing the filename.
an attack would consist of generating a sample file via a web query which might
take 1 or 2 seconds; the sequence number could then be seen and if the state
established future filenames could be guessed if fastcgi is in operation.
In a cgi type scheme that requires searching over the pid space, the time space
and some random bits from the OS.
I'm not sure such an attack is realistic given the size of the space even in the
initial seed.
If you want the full 16 bytes of unpredictability, why don't you just
read 16 bytes from
/dev/urandom and forget about all the other stuff?
Jean-Paul
I have a vague memory that the original author felt that entropy might run out
or something like that so reading from /dev/urandom always was not a good idea.
FreeBSD re-uses the entropy, but the end target is Solaris so I'm not really
sure about the details of /dev/urandom.
--
Robin Becker
--
http://mail.python.org/mailman/listinfo/python-list
