Opened 6 years ago

Closed 5 years ago

#11729 closed (wontfix)

session key should extract more entropy from time.time()

Reported by: rfk Owned by: nobody
Component: contrib.sessions Version: master
Severity: Keywords:
Cc: Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

The code to construct a new session key calls time.time() to get some additional entropy, but uses the "%s" format to mix it in. The default precision for "%s" formatting is 2 decimal places, which throws away the bits with the highest entropy:


>>> for _ in xrange(5):
...     print "%s" % (time.time(),)
... 
1250468751.64
1250468751.64
1250468751.64
1250468751.64
1250468751.64

Attached is a simple patch to make it use "%.20f" instead, which is much more convincingly "random":

>>> for _ in xrange(5):
...     print "%.20f" % (time.time(),)
... 
1250468874.97280406951904296875
1250468874.97284793853759765625
1250468874.97286295890808105469
1250468874.97287893295288085938
1250468874.97289204597473144531

Cheers,

Ryan

Attachments (1)

session_key_entropy.patch (645 bytes) - added by rfk 6 years ago.

Download all attachments as: .zip

Change History (5)

Changed 6 years ago by rfk

comment:1 Changed 6 years ago by ubernostrum

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

While I may be wrong, ISTR something coming up once upon a time about Windows not providing enough precision to make this sort of thing reliably portable.

comment:2 Changed 6 years ago by rfk

Indeed, I get this on my WinXP box:

>>> for _ in xrange(5):
...     print "%.20f" % (time.time(),)
... 
1250475647.96400000000000000000
1250475647.96500000000000000000
1250475647.96500000000000000000
1250475647.96500000000000000000
1250475647.96500000000000000000

That's still ~3 more bits of entropy than using "%s" ;-)

comment:3 Changed 6 years ago by Alex

It doesn't, window's timer provides up to 15ms of percision. That won't actually reduce entropy in any way (AFAIK) though.

comment:4 Changed 5 years ago by russellm

  • Resolution set to wontfix
  • Status changed from new to closed

Given the cross platform difficulties, and the absence of any explanation for why the current level of entropy isn't sufficient, I'm marking this wontfix.

Note: See TracTickets for help on using tickets.
Back to Top