Security Advisory: Weak random source in Python DSA signing

140 views
Skip to first unread message

Steve Weis

unread,
Jun 17, 2009, 9:24:31 PM6/17/09
to Keyczar Discuss
The Python implementation of DSA signing improperly called
random.randint(), which is not a cryptographically strong source of
randomness. These bits were used to generate the 'k' parameter in DSA
signed messages. Predictable 'k' values used in signed messages could
potentially leak private signing keys.

This issue has been addressed by changing the signing code to call
random.SystemRandom():
http://code.google.com/p/keyczar/source/detail?r=420

Python users should update to the latest version:
http://keyczar.googlecode.com/files/python-keyczar-0.6b.061709.tar.gz

Key generation is not affected by this issue. Random bytes were either
generated using PyCrypto's RandomPool or through PyCrypto's asymmetric
key implementations.

I'd like to invite comments here on random number generation in
Python. I have not looked closely at random.SystemRandom() or
PyCrypto's RandomPool. If there are outstanding issues or suggestions,
please share them.
Reply all
Reply to author
Forward
0 new messages