Attack against the pseudorandom number generator

[316763b5-e587-4fbf-a644-11ec7ebfcd06]

BPO	16184
Nosy	@birkenfeld, @tiran, @mmaker
Files	POC.zip

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields: ```python assignee = None closed_at = created_at = labels = ['type-security', 'library'] title = 'Attack against the pseudorandom number generator' updated_at = user = 'https://bugs.python.org/ymaryshev' ``` bugs.python.org fields: ```python activity = actor = 'christian.heimes' assignee = 'none' closed = True closed_date = closer = 'christian.heimes' components = ['Library (Lib)'] creation = creator = 'ymaryshev' dependencies = [] files = ['27514'] hgrepos = [] issue_num = 16184 keywords = [] message_count = 5.0 messages = ['172566', '172568', '172583', '172619', '172620'] nosy_count = 4.0 nosy_names = ['georg.brandl', 'christian.heimes', 'maker', 'ymaryshev'] pr_nums = [] priority = 'normal' resolution = 'rejected' stage = 'resolved' status = 'closed' superseder = None type = 'security' url = 'https://bugs.python.org/issue16184' versions = ['Python 3.3'] ```

[316763b5-e587-4fbf-a644-11ec7ebfcd06]

---[ Vulnerability description]

Positive Research experts have detected a vulnerability "Predictable pseudorandom numbers in Python" caused by random.random() output in Python.

By default, Mersenne Twister initialization is done during random module import and then after 312 random.random() calls that allows attackers to predict 313 random number with 2^8 accuracy based on 1, 2, 199, 200, 511, 625 random numbers.

--[Solution]

We recommend you to initialize random.seed() after every 312 calls that guarantees enough entropy of Mersenne Twister element statuses.

---[Credits]

Vulnerability was detected by Timur Yunusov, Positive Research Center (Positive Technologies Company)

---

1. In spite of the fact that MT states are initialized correctly, there is a practical method to exploit the vulnerability because of Python web framework peculiarities.
2. The possibility that a random number is among described 256 variants is 12,5% because there are two methods to round off numbers to the certain accuracy. This provides 8 possible variants of existing state_1[2], state_1[397], state_2[397]. You can find the code necessary to demonstrate the vulnerability (vuln.py) and exploit it (brute.py) attached.

[tiran]

I don't see a problem here. It's a well known and documented fact that a PRNG like a Mersenne-Twister must not be used for any cryptographic purpose. The most of the random module is designed to be deterministic. The global instance even keeps its state after fork(). It's really not a security issue but a feature.

http://docs.python.org/library/random.html --- The Mersenne Twister is one of the most extensively tested random number generators in existence. However, being completely deterministic, it is not suitable for all purposes, and is completely unsuitable for cryptographic purposes. ---

The os.urandom() function and random.SystemRandom class are desigend to create cryptographically strong random data that can be for most purposes except for long lived crypto keys like SSL certs.

[birkenfeld]

1. In spite of the fact that MT states are initialized correctly, there is a practical method to exploit the vulnerability because of Python web framework peculiarities.

What does this mean exactly? If it means that this predictability can be used for attacks on web frameworks because they assume cryptographic strength of random numbers, please report it to those frameworks' security channels, e.g. security@djangoproject.com.

[316763b5-e587-4fbf-a644-11ec7ebfcd06]

Thank you, you are right. Please close the issue.

[tiran]

I'm closing the issue as suggested.

I created bpo-16190 in the hope that a documentation update is going to raise awareness.