Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #7220

Re: How good is security via hashing

From Paul Rubin <no.email@nospam.invalid>
Newsgroups comp.lang.python
Subject Re: How good is security via hashing
References (1 earlier) <4d3945c6-6c0b-45e4-9d12-f6f50c09108b@ct4g2000vbb.googlegroups.com> <mailman.2529.1307449692.9059.python-list@python.org> <pan.2011.06.07.21.22.54.0@nowhere.com> <7xy61d59p6.fsf@ruckus.brouhaha.com> <pan.2011.06.08.07.18.27.438000@nowhere.com>
Date 2011-06-08 00:40 -0700
Message-ID <7xd3io3h5a.fsf@ruckus.brouhaha.com> (permalink)
Organization Nightsong/Fort GNOX

Show all headers | View raw

Nobody <nobody@nowhere.com> writes:
>>> If you're going to read from /dev/urandom, limit it to a few bytes per
>>> minute, not per request.
>> That's really not going to help you.
> In what way?
> If I need security, I'll use /dev/random or /dev/urandom. If I don't, I'll
> save the real entropy for something which needs it.

I just mean that if /dev/urandom has enough internal state then within
practical bounds, its output is effectively random no matter how much
you read from it.  Did you look at the paper I linked?  "Saving" the
"real entropy" isn't feasible since the maximum capacity of the two
"real" entropy pools is 4096 bits each.  They will both fill pretty
quickly on an active system.  Reading /dev/urandom will empty the
primary pool but /dev/random is fed by the secondary pool, which
receives entropy from both the primary pool and physical sources.  If
you read too fast from /dev/urandom, the worst that happens (if I
understand correctly) is that the rate you can read from /dev/random is
cut in half and it will block more often.  If that's a serious issue for
your application, you should probably rethink your approach and get an
HSM.

Back to comp.lang.python | Previous | NextPrevious in thread | Find similar | Unroll thread

Thread

How good is security via hashing Robin Becker <robin@reportlab.com> - 2011-06-07 11:18 +0100
  Re: How good is security via hashing Jean-Paul Calderone <calderone.jeanpaul@gmail.com> - 2011-06-07 04:40 -0700
    Re: How good is security via hashing Robin Becker <robin@reportlab.com> - 2011-06-07 13:27 +0100
      Re: How good is security via hashing Paul Rubin <no.email@nospam.invalid> - 2011-06-07 06:00 -0700
      Re: How good is security via hashing Nobody <nobody@nowhere.com> - 2011-06-07 22:23 +0100
        Re: How good is security via hashing Paul Rubin <no.email@nospam.invalid> - 2011-06-07 19:38 -0700
          Re: How good is security via hashing Nobody <nobody@nowhere.com> - 2011-06-08 08:18 +0100
            Re: How good is security via hashing Paul Rubin <no.email@nospam.invalid> - 2011-06-08 00:40 -0700

csiph-web