Opened 15 years ago
Closed 14 years ago
#11729 closed (wontfix)
session key should extract more entropy from time.time()
| Reported by: | Ryan Kelly | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.sessions | Version: | dev |
| Severity: | Keywords: | ||
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
The code to construct a new session key calls time.time() to get some additional entropy, but uses the "%s" format to mix it in. The default precision for "%s" formatting is 2 decimal places, which throws away the bits with the highest entropy:
>>> for _ in xrange(5): ... print "%s" % (time.time(),) ... 1250468751.64 1250468751.64 1250468751.64 1250468751.64 1250468751.64
Attached is a simple patch to make it use "%.20f" instead, which is much more convincingly "random":
>>> for _ in xrange(5): ... print "%.20f" % (time.time(),) ... 1250468874.97280406951904296875 1250468874.97284793853759765625 1250468874.97286295890808105469 1250468874.97287893295288085938 1250468874.97289204597473144531
Cheers,
Ryan
Attachments (1)
Change History (5)
by , 15 years ago
| Attachment: | session_key_entropy.patch added |
|---|
comment:1 by , 15 years ago
comment:2 by , 15 years ago
Indeed, I get this on my WinXP box:
>>> for _ in xrange(5): ... print "%.20f" % (time.time(),) ... 1250475647.96400000000000000000 1250475647.96500000000000000000 1250475647.96500000000000000000 1250475647.96500000000000000000 1250475647.96500000000000000000
That's still ~3 more bits of entropy than using "%s" ;-)
comment:3 by , 15 years ago
It doesn't, window's timer provides up to 15ms of percision. That won't actually reduce entropy in any way (AFAIK) though.
comment:4 by , 14 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
Given the cross platform difficulties, and the absence of any explanation for why the current level of entropy isn't sufficient, I'm marking this wontfix.
While I may be wrong, ISTR something coming up once upon a time about Windows not providing enough precision to make this sort of thing reliably portable.