[issue15206] uuid module falls back to unsuitable RNG

[STINNER Victor]

STINNER Victor  added the comment:

I close the issue. Python 3.7 and newer are fixed. Python 2.7 is still 
affected, but I consider that it's ok to leave the bug unfixed in this version.

--

> The random number generator now reseeds after a fork.

I confirm that it's done since Python 3.7, and Python 3.6 doesn't accept 
bugfixes anymore (only security fixes). So the issue is fixed in Python 3.7, 
3.8 and master. For the record, the fix was this change:

commit 346cbd351ee0dd3ab9cb9f0e4cb625556707877e
Author: Antoine Pitrou 
Date:   Sat May 27 17:50:54 2017 +0200

bpo-16500: Allow registering at-fork handlers (#1715)

Backporting this change to Python 3.6 and 3.5 would be too intrusive and risky. 
I don't think that this bug is important enough to be qualified as security 
vulnerability (the issue type is not "Security").


For Python 2.7, honestly, I don't think that the issue matters enough to 
justify to fix it today, knowning that Python 2.7 will reach its end of life at 
the end of the year. Moreover, apart Christian Heimes, no user ever complained 
about this issue.


Note: uuid.uuid4() always used os.urandom(16) which is not affected by this 
issue on fork. Only uuid.uuid1() and uuid.getnode() has the bug in Python 2.7.

--
resolution:  -> fixed
stage:  -> resolved
status: open -> closed
versions: +Python 3.7, Python 3.8, Python 3.9 -Python 2.7, Python 3.6

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue15206] uuid module falls back to unsuitable RNG

[Raymond Hettinger]

Raymond Hettinger  added the comment:

The random number generator now reseeds after a fork.

Can this now be closed as "out-of-date" or is there still something that needs 
to be done?

--
status: pending -> open

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue15206] uuid module falls back to unsuitable RNG

[Christian Heimes]

Christian Heimes added the comment:

Past me was a bit too eager...

Only UUID4 are suppose to be random and unpredictable. uuid.UUID4 uses 
os.urandom() to as RNG. UUID1, UUID3 and UUID5 are more concerned with reducing 
collisions.

--
status: open -> pending
type: security -> behavior

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue15206] uuid module falls back to unsuitable RNG

[STINNER Victor]

STINNER Victor added the comment:

> Given the introduction of the secrets module in 3.6, perhaps uuid could be 
> updated to fall back to that rather than to the random module and leave older 
> versions unmodified?

issue15206.patch catchs exceptions on random.SystemRandom error, but the 
secrets module also uses random.SystemRandom. I don't think that "fallback on 
secrets" makes sense here, or do I miss something?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue15206] uuid module falls back to unsuitable RNG

[Nick Coghlan]

Nick Coghlan added the comment:

Given the introduction of the secrets module in 3.6, perhaps uuid could be 
updated to fall back to that rather than to the random module and leave older 
versions unmodified?

--
nosy: +ncoghlan
versions: +Python 3.6 -Python 3.2, Python 3.3

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue15206] uuid module falls back to unsuitable RNG

[Christian Heimes]

Christian Heimes li...@cheimes.de added the comment:

The rest of the module uses bar excepts. I could change the signature if you 
insist.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue15206
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue15206] uuid module falls back to unsuitable RNG

[Antoine Pitrou]

Antoine Pitrou pit...@free.fr added the comment:

 The rest of the module uses bar excepts.

It was probably written in prehistoric times :)
The other excepts can be converted later, if the module gets other changes. I 
don't think it is a deliberate style choice (it would be particularly 
distasteful :-)).

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue15206
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue15206] uuid module falls back to unsuitable RNG

[Christian Heimes]

Christian Heimes li...@cheimes.de added the comment:

Am 28.06.2012 07:54, schrieb Martin v. Löwis:
 
 Martin v. Löwis mar...@v.loewis.de added the comment:
 
 a) my patch handles the fork() issue correctly
 
 If the system has urandom, yes.

That's the easy and trivial case. It also handles fork() by storing the
PID and comparing it to os.getpid() whenever the RNG is acquired.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue15206
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue15206] uuid module falls back to unsuitable RNG

[Antoine Pitrou]

Antoine Pitrou pit...@free.fr added the comment:

+except Exception:

I don't think that's a good idea. You should list the specific exceptions here 
(NotImplementedError, OSError perhaps?).

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue15206
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue15206] uuid module falls back to unsuitable RNG

[Christian Heimes]

New submission from Christian Heimes li...@cheimes.de:

The uuid module uses Mersenne Twister from the random module as last fallback. 
However a MT isn't suitable for cryptographic purposes. The module should first 
try to use os.urandom() and then perhaps use its own instance of random.Random, 
similar to uuid_generate_* [1]

The problem doesn't apply to most modern platforms as the uuid module uses 
either libuuid or the Windows API with ctypes. Therefore I consider the real 
world severity as low. It may not require a backport to Python 2.x.

[1] http://linux.die.net/man/3/uuid_generate

--
components: Library (Lib)
messages: 164157
nosy: christian.heimes
priority: normal
severity: normal
status: open
title: uuid module falls back to unsuitable RNG
type: security
versions: Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.3

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue15206
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue15206] uuid module falls back to unsuitable RNG

[Arfrever Frehtes Taifersar Arahesis]

Changes by Arfrever Frehtes Taifersar Arahesis arfrever@gmail.com:


--
nosy: +Arfrever

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue15206
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue15206] uuid module falls back to unsuitable RNG

[Christian Heimes]

Christian Heimes li...@cheimes.de added the comment:

Further analysis:

* uuid1() uses random.randrange() if the system doesn't provide 
uuid_generate_time

* uuid1() also falls back to random.randrange() in getnode()'s 
_random_getnode() if no hardware address can be acquired.

* uuid4() is fine as it only falls back to random.randrange() when os.urandom() 
fails.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue15206
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue15206] uuid module falls back to unsuitable RNG

[Martin v . Löwis]

Martin v. Löwis mar...@v.loewis.de added the comment:

Can you elaborate why it is unsuitable? None of the uuid functions claim any 
cryptographic properties, so even if MT was unsuitable for cryptographic 
purposes, this wouldn't rule it out for generating uuids.

--
nosy: +loewis

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue15206
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue15206] uuid module falls back to unsuitable RNG

[Christian Heimes]

Christian Heimes li...@cheimes.de added the comment:

IMHO it's all about managing expectations. As libuuid is using a crypto RNG 
before it falls back to a less suitable RNG. We should follow this example. I 
couldn't find any information about the implementation details of Window's 
UuidCreate().

I agree that we can disagree on my reasoning. However the usage of 
random.random() and random.randint() in uuid is flawed for a second reason. The 
default instance random._inst doesn't compensate for fork(). After fork() the 
two processes share the same random state and thus will create the same uuids. 
For example tempfile._RandomNameSequence re-creates the RNG when it notices a 
different PID.

--
keywords: +patch
Added file: http://bugs.python.org/file26190/issue15206.patch

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue15206
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue15206] uuid module falls back to unsuitable RNG

[Raymond Hettinger]

Raymond Hettinger raymond.hettin...@gmail.com added the comment:

Are uuid's promised to be cryptographically secure?

--
assignee:  - rhettinger
nosy: +rhettinger

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue15206
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue15206] uuid module falls back to unsuitable RNG

[Christian Heimes]

Christian Heimes li...@cheimes.de added the comment:

Not, not by definition. However an uuid generator shall geenerate uuid in a way 
that make collisions highly improbable. IMHO this verdict implies that an uuid 
generator should use the cryptographic RNG if available.

The behavior after fork() is clearly a bug as it will generate lots of 
collisions on systems that fall back to random.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue15206
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue15206] uuid module falls back to unsuitable RNG

[STINNER Victor]

STINNER Victor victor.stin...@gmail.com added the comment:

 However a MT isn't suitable for cryptographic purposes.
 The module should first try to use os.urandom() and
 then perhaps use its own instance of random.Random,
 similar to uuid_generate_* [1]

os.urandom() is not suitable for cryptographic purposes :-) Python 3.3 has also 
ssl.RAND_bytes() which is better than os.urandom(), but it's not possible 
(easy?) to build a custom random.Random class with an arbitrary RNG (like 
os.urandom or ssl.RAND_bytes).

It would be nice to provide an API to choose the best RNG depending on a set of 
requirements. I wrote the Hasard library which implements such idea: the 
library provides profiles and chooses the best RNG for a profile. Profiles:
- fast
- secure nonblocking
- secure blocking
- hardware

See the doc directory the Hasard project for details:
https://bitbucket.org/haypo/hasard/
https://bitbucket.org/haypo/hasard/src/82d13450c552/doc/profile_list.rst

See also the issue #12858 for another user of a better RNG.

I'm quite sure that all these RNG issues are a good candidate for a PEP because 
RNG is complex problem, there are different use cases, various implements, and 
a lot of common issue (in RNG implementations). Handling fork or not is an 
important question, which impact performances, for example.

See also the issue #12754: Add alternative random number generators.

--
nosy: +haypo

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue15206
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue15206] uuid module falls back to unsuitable RNG

[Antoine Pitrou]

Antoine Pitrou pit...@free.fr added the comment:

From the /dev/urandom Linux man page:

   If  you  are  unsure  about  whether  you  should  use  /dev/random  or
   /dev/urandom, then probably you want to use the latter.  As  a  general
   rule,  /dev/urandom  should  be  used  for everything except long-lived
   GPG/SSL/SSH keys.

   If a seed file is saved across reboots as recommended below (all  major
   Linux  distributions have done this since 2000 at least), the output is
   cryptographically secure against attackers without local root access as
   soon as it is reloaded in the boot sequence, and perfectly adequate for
   network encryption session keys. 


So, yes, /dev/urandom is suitable for most cryptographic purposes (except 
long-lived private keys).

--
nosy: +pitrou

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue15206
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue15206] uuid module falls back to unsuitable RNG

[Christian Heimes]

Christian Heimes li...@cheimes.de added the comment:

Antoine beat me to it and he is totally right.

Please don't derail this bug report. I agree with your analysis that the RNG 
core of random.Random subclass can't be replaced easily and that more 
implementations for different purposes would be great. You should stick the 
analysis into a different ticket or write a PEP. This ticket is the wrong 
place. I'll support you if you keep the ticket on course. ;)

Let's concentrate on the topic at hand and discuss if 

a) my patch handles the fork() issue correctly
b) if it's a good idea to try SystemRandom first
c) a backport to 2.6, 2.7, 3.1 and 3.2 is required
and perhaps
d) if I should open another ticket to work on a general solution for the RNG + 
fork() issue.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue15206
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue15206] uuid module falls back to unsuitable RNG

[Martin v . Löwis]

Martin v. Löwis mar...@v.loewis.de added the comment:

 a) my patch handles the fork() issue correctly

If the system has urandom, yes.

 b) if it's a good idea to try SystemRandom first

Certainly.

 c) a backport to 2.6, 2.7, 3.1 and 3.2 is required
 and perhaps

Cannot backport to 2.6 and 3.1; it's not a security issue.

 d) if I should open another ticket to work on a general solution for  
 the RNG + fork() issue.

I'm not quite sure what a solution could be, or wether there is
an issue in the first place, so -0.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue15206
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue15206] uuid module falls back to unsuitable RNG

[Martin v . Löwis]

Changes by Martin v. Löwis mar...@v.loewis.de:


--
versions:  -Python 2.6, Python 3.1

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue15206
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com