Security Advisory: Weak random source in Python DSA signing
142 views
Skip to first unread message
Steve Weis
Jun 17, 2009, 9:24:31 PM6/17/09
to Keyczar Discuss
The Python implementation of DSA signing improperly called
random.randint(), which is not a cryptographically strong source of
randomness. These bits were used to generate the 'k' parameter in DSA
signed messages. Predictable 'k' values used in signed messages could
potentially leak private signing keys.
This issue has been addressed by changing the signing code to call
random.SystemRandom():
http://code.google.com/p/keyczar/source/detail?r=420
Python users should update to the latest version:
http://keyczar.googlecode.com/files/python-keyczar-0.6b.061709.tar.gz
Key generation is not affected by this issue. Random bytes were either
generated using PyCrypto's RandomPool or through PyCrypto's asymmetric
key implementations.
I'd like to invite comments here on random number generation in
Python. I have not looked closely at random.SystemRandom() or
PyCrypto's RandomPool. If there are outstanding issues or suggestions,
please share them.
random.randint(), which is not a cryptographically strong source of
randomness. These bits were used to generate the 'k' parameter in DSA
signed messages. Predictable 'k' values used in signed messages could
potentially leak private signing keys.
This issue has been addressed by changing the signing code to call
random.SystemRandom():
http://code.google.com/p/keyczar/source/detail?r=420
Python users should update to the latest version:
http://keyczar.googlecode.com/files/python-keyczar-0.6b.061709.tar.gz
Key generation is not affected by this issue. Random bytes were either
generated using PyCrypto's RandomPool or through PyCrypto's asymmetric
key implementations.
I'd like to invite comments here on random number generation in
Python. I have not looked closely at random.SystemRandom() or
PyCrypto's RandomPool. If there are outstanding issues or suggestions,
please share them.
Reply all
Reply to author
Forward
0 new messages