Path: csiph.com!x330-a1.tempe.blueboxinc.net!usenet.pasdenom.info!selfless.tophat.at!newsfeed.xs4all.nl!newsfeed5.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.001 X-Spam-Evidence: '*H*': 1.00; '*S*': 0.00; '(at': 0.03; 'bits': 0.07; 'python': 0.08; 'assumed': 0.09; 'base64': 0.09; 'received:80.91': 0.09; 'received:80.91.229': 0.09; 'received:80.91.229.12': 0.09; 'received:gmane.org': 0.09; 'received:list': 0.09; 'received:lo.gmane.org': 0.09; 'wrote:': 0.14; 'handy': 0.16; 'module?': 0.16; 'nitin': 0.16; "peters'": 0.16; 'predictable': 0.16; 'random.': 0.16; 'subject:security': 0.16; 'suitable.': 0.16; 'useless.': 0.16; 'algorithm': 0.16; 'hopefully': 0.16; 'guess': 0.19; 'header:In-Reply-To:1': 0.21; 'function': 0.25; 'produced': 0.26; 'tried': 0.27; "i'm": 0.27; 'random': 0.28; "he's": 0.29; 'least': 0.30; 'subject:How': 0.30; 'fairly': 0.30; 'observe': 0.30; 'support)': 0.30; "didn't": 0.31; 'header:X -Complaints-To:1': 0.32; 'to:addr:python-list': 0.33; 'actually': 0.33; 'asking': 0.33; 'machine': 0.33; "we're": 0.34; 'header :User-Agent:1': 0.35; 'using': 0.35; 'probably': 0.36; 'uses': 0.36; 'similar': 0.37; 'assuming': 0.37; 'sequence': 0.37; 'case': 0.37; 'extremely': 0.37; 'pretty': 0.37; 'think': 0.38; 'received:org': 0.38; 'but': 0.38; 'subject:: ': 0.38; 'some': 0.38; 'doing': 0.39; 'header:Mime-Version:1': 0.39; 'to:addr:python.org': 0.39; 'entirely': 0.40; 'generate': 0.60; 'high': 0.67; 'ref:': 0.67; 'quality': 0.74; '.......': 0.84; 'robin': 0.84; 'subject:good': 0.93 X-Injected-Via-Gmane: http://gmane.org/ To: python-list@python.org From: Robin Becker Subject: Re: How good is security via hashing Date: Tue, 07 Jun 2011 12:35:21 +0100 References: <4DEDFAEB.4050006@chamonix.reportlab.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Gmane-NNTP-Posting-Host: fpc2-nmal8-0-0-cust4.croy.static.cable.virginmedia.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10 In-Reply-To: X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 27 NNTP-Posting-Host: 82.94.164.166 X-Trace: 1307446540 news.xs4all.nl 49046 [::ffff:82.94.164.166]:43582 X-Complaints-To: abuse@xs4all.nl Xref: x330-a1.tempe.blueboxinc.net comp.lang.python:7146 On 07/06/2011 11:26, Nitin Pawar wrote: > Have you tried using UUID module? > > Its pretty handy and comes with base64 encoding function which gives > extremely high quality randon strings > > ref: > http://stackoverflow.com/questions/621649/python-and-random-keys-of-21-char-max ...... I didn't actually ask for a suitable method for doing this; I assumed that Tim Peters' algorithm (at least I think he's behind most of the python random support) is pretty good so that the bits produced are indeed fairly good approximations to random. I guess what I'm asking is whether any sequence that's using random to generate random numbers is predictable if enough samples are drawn. In this case assuming that fastcgi is being used can I observe a sequence of generated numbers and work out the state of the generator. If that is possible then the sequence becomes deterministic and such a scheme is useless. If I use cgi then we're re-initializing the sequence hopefully using some other unrelated randomness for each number. Uuid apparently uses machine internals etc etc to try and produce randomness, but urandom and similar can block so are probably not entirely suitable. -- Robin Becker