问题描述
检查了秘密和 uuid4 .两者似乎都在使用os.urandom.
Checked the cpython source code for both secrets and uuid4. Both seems to be using os.urandom.
#uuid.py
def uuid4():
"""Generate a random UUID."""
return UUID(bytes=os.urandom(16), version=4)
#secrets.py
def token_bytes(nbytes=None):
"""Return a random byte string containing *nbytes* bytes.
If *nbytes* is ``None`` or not supplied, a reasonable
default is used.
>>> token_bytes(16) #doctest:+SKIP
b'\\xebr\\x17D*t\\xae\\xd4\\xe3S\\xb6\\xe2\\xebP1\\x8b'
"""
if nbytes is None:
nbytes = DEFAULT_ENTROPY
return _sysrand.randbytes(nbytes)
# This is code for randbytes in SystemRandom in random
def randbytes(self, n):
"""Generate n random bytes."""
# os.urandom(n) fails with ValueError for n < 0
# and returns an empty bytes string for n == 0.
return _urandom(n)
IETF警告不要将uuid用于安全功能.请参阅第6节 UUID .它说
IETF warns not to use uuid's for security capabilities. Refer section 6 UUID. It says
-
安全注意事项
Security Considerations
不要以为UUID很难猜到;他们不应该被使用 作为安全功能(仅拥有许可的标识符 访问).可预测的随机数源将 加剧了局势.
Do not assume that UUIDs are hard to guess; they should not be used as security capabilities (identifiers whose mere possession grants access), for example. A predictable random number source will exacerbate the situation.
如果机密确实确实使用了与uuid4相同的urandom,我们可以使用uuid4代替机密.使用秘密token_bytes而不是uuid4本身的全部目的是什么?根据IETF的标准,API密钥/令牌的秘密模块真的不安全吗?
If secrets really does use urandom same as uuid4, can we use uuid4 instead of secrets. What's the whole purpose of using secrets token_bytes instead of uuid4 itself?. As per IETF's standards is secrets module for api keys/tokens really not secure?
推荐答案
得知随机UUID并非完全随机,您可能会感到惊讶.确切地说,有6位设置为特定值(表示是随机UID).它们被创建为唯一(具有很高的确定性). UUID具有特定的用途,因此您会发现在它们上定义的所有方法.
You might be surprised to learn that random UUID's are not fully random. To be precise, there are 6 bits set to specific values (to indicate that it is a random UID). They are created to be unique (with a high amount of certainty). UUID's have a specific purpose, so you'll find all kinds of methods defined on them.
此外,顾名思义,它们并不是秘密.这也可能意味着未采取适用于机密的可能的保护措施.例如,字符串通常很容易在内存中找到,而UUID通常以文本表示形式使用/传达.
Furthermore, as the name suggests they are not meant to be secrets. That may also mean that possible protection measures that apply for secrets are not taken. For instance, strings are usually easy to find in memory, and UUID's are often used/communicated in a textual representation.
令牌是不同的东西.通常将其加密并保密.因此,它具有不同的目的.当然,UUID和令牌都可以由随机位和字节组成.但是,这更多是关于为作业使用正确的工具.
A token is something different. It is usually encrypted and kept secret. As such, it serves a different purpose. Of course, both UUID and tokens can consist of random bits and bytes. However, this is more about using the right tool for the job.
如果要创建密钥而不是令牌或UUID,则我希望使用API特定的方法来生成密钥.否则,直接使用SystemRandom
是个好主意,因为密钥既不是UUID也不是令牌.
If you are creating a secret key rather than a token or UUID I'd prefer a API specific method for generating the keys. Otherwise it might be a good idea to use SystemRandom
directly, because a key is neither a UUID nor a Token.
这篇关于uuid4和python中的secrets token_bytes有什么区别?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!