这段代码能够生成密码学安全的伪随机数发生器吗?

huangapple go评论61阅读模式
英文:

Is this code capable of generating Cryptographically Secure Pseudo-Random Number Generator

问题

I have a piece of code which generates a string of length 50 to 100 with random characters:

CharLIST = list('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890')
def NEW(id_len):
    _id = ''
    while len(_id) < id_len:
        _id += random.choice(CharLIST)
    return _id
NEW(random.randint(50, 100))

我有一段代码可以生成长度在50到100之间的随机字符的字符串。

I expect it to generate a completely random string which is not unpredictable:

我期望它生成完全随机的字符串,但这个字符串可能不够难以预测。

I used a code analyser which said it is not Cryptographically Secure:

我使用了代码分析工具,它指出这段代码不是密码学安全的。

But it generates random strings which I think are unpredictable based on seeing 200 results:

但根据200个结果,它生成了我认为是难以预测的随机字符串。

英文:

I have a piece of code which generates a string of length 50 to 100 with random characters

the code is :

CharLIST = list(&#39;abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890&#39;)
def NEW(id_len):
    _id = &#39;&#39;
    while len(_id) &lt; id_len:
        _id += random.choice(CharLIST)
    return _id
NEW(random.randint(50, 100))

I expect it to generate a completely random string which is not unpredictable
I used a code analyser which said it is not Cryptographically Secure
but it generate random strings which I think are unpredictable based on seeing 200 results

答案1

得分: 3

不,random 中的任何实用程序都不应被视为安全。它们的输出完全是确定性的。这在该模块文档的顶部强调了:

Python 使用 Mersenne Twister 作为核心生成器... 它完全是确定性的,不适合所有目的,对于加密目的来说完全不合适。

[...]

警告: 本模块的伪随机生成器不应用于安全目的。对于安全或加密用途,请参见secrets 模块。

正如建议的那样,对于密码学安全的随机数生成,您应该使用 secrets 模块:

secrets 模块用于生成适用于管理密码、帐户认证、安全令牌和相关机密的密码学强随机数。

特别地,secrets 应该优先于 random 模块中的默认伪随机数生成器,后者设计用于建模和模拟,而不是安全或加密。

对于您的特定用例,secrets 模块提供了一个与 random.choice 类似的 secrets.choice 函数。

英文:

No, none of the utilities in random should be considered secure. Their output is completely deterministic.
This is emphasized in warnings at the top of the module's documentation:

> Python uses the Mersenne Twister as the core generator .... [which], being completely deterministic, is not suitable for all purposes, and is completely unsuitable for cryptographic purposes.
>
> [...]
>
> Warning: The pseudo-random generators of this module should not be used for security purposes. For security or cryptographic uses, see the secrets module.

As suggested, for cryptographically secure random number generation, you should use the secrets module:
> The secrets module is used for generating cryptographically strong random numbers suitable for managing data such as passwords, account authentication, security tokens, and related secrets.
>
> In particular, secrets should be used in preference to the default pseudo-random number generator in the random module, which is designed for modelling and simulation, not security or cryptography.

For your particular use case, the secrets module provides a secrets.choice function that works analogously to random.choice.

答案2

得分: 0

像Brian说的,使用随机方法来加密不安全。请使用secrets模块并使用内置的 choice 函数,而不是随机函数。您还可以使用string模块来缩短您的组合:

import string
import secrets

CharLIST = string.digits + string.ascii_letters

def NEW():
  myPass = "".join(secrets.choice(CharLIST) for i in range(50,100))
  return myPass

print(NEW())
英文:

Like @Brian said, random isn't secure with encrypting. Use the secrets module with the built in choice function instead of random. You can also use the string module to shorten your combinations:

import string
import secrets


CharLIST = string.digits + string.ascii_letters

def NEW():
  myPass = &quot;&quot;.join(secrets.choice(CharLIST) for i in range(50,100))
  return myPass


print(NEW())

huangapple
  • 本文由 发表于 2023年3月21日 02:49:00
  • 转载请务必保留本文链接:https://go.coder-hub.com/75794182-2.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定