python的随机数生成容易重现吗? [英] Is python's random number generation easily reproducible?
问题描述
我正在阅读有关标准库中python的随机模块的信息.令我惊讶的是,当我设置种子并产生一些随机数时:
I was reading about python's random module in standard library. It amazes me that when I set the seed and produce a few random numbers:
random.seed(1)
for i in range(5):
print random.random()
产生的数字与文章中的示例完全相同.我认为可以肯定地说种子设定好算法是确定性的.
The numbers produced are exactly the same as the sample in the article. I think it's safe to say the algorithm is deterministic when the seed is set.
并且当未设置种子时,标准库使用time.time()进行种子.
现在假设在线服务使用random.random()生成验证码,黑客是否可以使用同一随机生成器轻松地复制验证码?
And when the seed is not set, the standard library seeds with time.time().
Now suppose an online service use random.random() to generate a captcha code, can a hacker use the same random generator to reproduce the captcha easily?
- 让我们假设黑客知道将随机数转换为验证码的算法.否则,这似乎是不可能的.
- 由于导入模块时会调用random.seed(),因此我假设对于Web应用程序而言,用作种子的时间大约是发送请求的时间(几秒钟之内),因此不会几次尝试就很难适应吗?
我担心太多了吗,或者这是一个真正的漏洞吗?
Am I worrying too much, or is this a real vulnerability?
推荐答案
播种后序列是确定性的,这不会让您感到惊讶.这就是播种的重点. random.random被称为PRNG,是一种伪随机数生成器.这不是Python独有的,每种语言的简单随机源都是以这种方式确定的.
It shouldn't surprise you that the sequence is deterministic after seeding. That's the whole point of seeding. random.random is known as a PRNG, a pseudo- random number generator. This is not unique to Python, every language's simple random source is deterministic in this way.
是的,真正关心安全性的人们会担心攻击者可能会重演该序列.这就是为什么可以使用其他随机源的原因,例如os.urandom,但是它们更昂贵.
And yes, people who are genuinely concerned about security will worry that an attacker could reproduce the sequence. That's why other sources of randomness are available, like os.urandom, but they are more expensive.
但是问题并不像您所说的那么糟糕:对于一个Web请求,通常一个进程处理多个请求,因此该模块在过去某个未知的时刻初始化,而不是在收到Web请求时初始化.
But the problem is not as bad as you say: for a web request, typically a process handles more than one request, so the module is initialized at some unknown point in the past, not when the web request was received.
这篇关于python的随机数生成容易重现吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
