Hi Anh, Good question! There's nothing built directly in, but you have several options: - You can implement, or use an existing implementation of a well known cryptographically secure PRNG, such as Blum Blum Shub. - You can make use of one of the block ciphers provided by pycrypto to generate a PRNG stream - just use it in CTR mode with a random key as seed data. - You can make use of a secure hash from the hashlib module - again, start with a random input and increment it for each block of random data.
On Wed, Oct 7, 2009 at 7:55 AM, Brandon N. Wirtz <[email protected]>wrote: > > Yep. You can write anything you want in python. > > Need a random number... Try this... > Perform a database transform 18 times, take the execution times of these, > find the min execution time, and Max execution time. > > Assign the longest time to be 100% and the shortest to be 0% the remaining > 16 passes are then converted to 0 if they are closer to 0 and 1 if closer > to > 100 > > Construct a 16 bit number from the 0's and 1's > > This method, assuming you pick a database or other operation that has an > expected time frame which is predictable, but follows a natural > distribution, will create truly random 16 bit numbers. > Please don't suggest inventing cryptographic primitives oneself! Doing so is one of the fastest and easiest ways to end up with security flaws in your software. -Nick Johnson > > Depending on how many bit number you need you can increase the number of > numbers generated. > > If you need a longer random number in low volume you can do a hash of the > most recent page added to digg. > > Construct a random number based on the difference in system time between > your server and the client making the request. > > > Suitability for cryptography is a stupid blanket statement: > If you need one 128 bit random number you could ask 128 people 1 or 0 and > have a suitable number. But because of the way people work if you did > that > 1 million times you'd find that you don't get good distribution of 1s and > 0s. > > If instead you said give me a number between 1 and 100 and assigned even > numbers a 0 and odds a 1 you would get a more random number suitable for > 100's of thousands of crypto keys. > > If you instead took the temperature of 128 people and if the thermometer > said an even decimal assigned that a 0 and odd decimals a 1, you would have > a random number that would be suitable for millions of random numbers. > > If you took the hash of a password some one gave you, you'd be good for a > few thousand random numbers but would find some passwords came up more than > statistically random should.. > > -Brandon Wirtz > Blackwaterops.com > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Anh Hai Trinh > Sent: Tuesday, October 06, 2009 8:31 PM > To: Google App Engine > Subject: [google-appengine] Generate cryptographically secure random number > > > Python random uses the Mersenne Twister RNG, which is "completely > unsuitable for cryptographic purposes." [1] > > AppEngine also includes pyCrypto.randpool, but it needs access to '/ > dev/random' because "if it can't get entropy from the OS, it silently > produces predictable output." [2] (plus it will be deprecated) > > So my question is, is it possible to generate cryptographically secure > random number in AppEngine? > > Reference > ========= > [1] http://docs.python.org/library/random.html > [2] http://lists.dlitz.net/pipermail/pycrypto/2008q3/000000.html > > > > > > -- Nick Johnson, Developer Programs Engineer, App Engine Google Ireland Ltd. :: Registered in Dublin, Ireland, Registration Number: 368047 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~----------~----~----~----~------~----~------~--~---
