Message172589
The documentation [1] of the random module contains a misleading warning
---
Warning: The generators of the random module should not be used for security purposes. Use ssl.RAND_bytes() if you require a cryptographically secure pseudorandom number generator.
---
The warning should point users to os.urandom() and random.SystemRandom rather than ssl.RAND_bytes(). On Linux os.urandom() wraps /dev/urandom [2], on Windows it uses CryptGenRandom() [3]. Both are suitable for most cryptographic purposes except for long-lived keys (SSL, SSH, GPG certs etc.). ssl.RAND_bytes() should only be used for such long-lived data and not for salts, session ids and similar.
I like to see the warning box in Python 2.7, too. It's still the default for docs.python.org. My inquiry is motivated by #16184.
[1] http://docs.python.org/py3k/library/random.html
[2] http://linux.die.net/man/4/urandom
[3] http://msdn.microsoft.com/en-us/library/windows/desktop/aa379942%28v=vs.85%29.aspx |
|
Date |
User |
Action |
Args |
2012-10-10 16:13:10 | christian.heimes | set | recipients:
+ christian.heimes, docs@python |
2012-10-10 16:13:10 | christian.heimes | set | messageid: <1349885590.41.0.193272073786.issue16190@psf.upfronthosting.co.za> |
2012-10-10 16:13:10 | christian.heimes | link | issue16190 messages |
2012-10-10 16:13:10 | christian.heimes | create | |
|