Re: Introducing the secrets module

[Steven D'Aprano]

On Sun, 17 Apr 2016 10:40 pm, Irmen de Jong wrote:

> On 17-4-2016 4:36, Steven D'Aprano wrote:
> 
>> And the documentation:
>> 
>> https://docs.python.org/3.6/library/secrets.html
>> 
>> 
>> Comments requested.
> 
> I've read about the "How many bytes should tokens use?" consideration. It
> suggests that to be secure, tokens need to have sufficient randomness. The
> default token length is subject to change at any time to remain secure
> against brute-force. However the API allows you to supply any token
> length, even one that is (a lot) shorter than the default.
> In view of the rationale for this new module ("Python's standard library
> makes it too easy for developers to inadvertently make serious security
> errors") should it perhaps not be allowed to use a value that is less than
> the default?
> 
> Hm, perhaps it should not; enforcing this could break code suddenly in the
> future when the default is raised...

Correct.

Also, consider that random tokens are not necessarily for high-security
purposes. Consider Youtube URLs that are intended to be hard to guess and
unpredictable, but permanent:

http://www.youtube.com/watch?v=kQFKtI6gn9Y

There are no security implications from revealing or guessing this URL.

On the other hand:

https://freedom-to-tinker.com/blog/vitaly/gone-in-six-characters-short-urls-considered-harmful-for-cloud-services/




-- 
Steven

-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Introducing the secrets module

[Irmen de Jong]

On 17-4-2016 4:36, Steven D'Aprano wrote:

> And the documentation:
> 
> https://docs.python.org/3.6/library/secrets.html
> 
> 
> Comments requested.

I've read about the "How many bytes should tokens use?" consideration. It 
suggests that
to be secure, tokens need to have sufficient randomness. The default token 
length is
subject to change at any time to remain secure against brute-force.
However the API allows you to supply any token length, even one that is (a lot) 
shorter
than the default.
In view of the rationale for this new module ("Python's standard library makes 
it too
easy for developers to inadvertently make serious security errors") should it 
perhaps
not be allowed to use a value that is less than the default?

Hm, perhaps it should not; enforcing this could break code suddenly in the 
future when
the default is raised...

Irmen

-- 
https://mail.python.org/mailman/listinfo/python-list

Introducing the secrets module

[Steven D'Aprano]

I'm pleased to announce a new standard library module for Python 3.6 and
better, to aid in generating secure tokens for authentication and other
secrets.

Last year, the founder of OpenBSD Theo de Raadt contacted Guido van Rossum
with concerns that the Python standard library made it too easy for people
to generate insecure tokens, session keys and related data.

The problem is that developers may use the random module for generating
tokens which need to be hard to guess. However the random module uses the
Mersenne Twister by default, which is designed for simulation and modelling
and is not suitable for cryptographic purposes. Consequently such tokens
may be insecure.

After much discussion, it was decided to leave the random module as-is, but
introduce a new module which would can be used to generate hard-to-guess
(cryptographically strong) tokens and random numbers: the secrets module.

See the PEP for more details:

https://www.python.org/dev/peps/pep-0506/

And the documentation:

https://docs.python.org/3.6/library/secrets.html


Comments requested.



-- 
Steven

-- 
https://mail.python.org/mailman/listinfo/python-list