trying to get hash from os.urandom

[Grzegorz Smith]

Hi all
I'm writing small python module which will be a password generator. I read
that python can use system random generator on machine whit *nix os. So i
start using os.urandom and when i generate random string i get something
like this: urandom(8) ->
'\xec2a\xe2\xe2\xeb_\n',"\x9f\\]'\xad|\xe6\xeb",'\xb0\xf8\xd3\xa0>01\xaf'.
How can I convert this to hash? i change python defaultencoding from ascii
to utf-8 and try convert this to unicode object but I only get:
'\xb4\xa8b\xed\xb9Y-\xf3'
Any help i will appreciated. Does anyone use os.urandom to cryptography?
Gregor

 

[Paul Rubin]

'\xec2a\xe2\xe2\xeb_\n',"\x9f\\]'\xad|\xe6\xeb",'\xb0\xf8\xd3\xa0>01\xaf'.
How can I convert this to hash? i change python defaultencoding from ascii
to utf-8 and try convert this to unicode object but I only get:

Don't use totally arbitrary 8-bit characters in passwords. If you
just want (say) random lowercase letters, do something like (untested):

import string,os
random_letter = string.lowercase[ord(os.urandom(1)) % 26]

for as many letters as you want in the word.

Note that the letters won't be perfectly equally probable because the
character codes are 0..255 and you get some of the residues mod 26
slightly more often than others. Obviously you can avoid that
nonuniformity in various ways, but the effect on the password entropy
is minimal even if you do nothing.

IMO it's better to use words than strings of letters. Try something
like (untested):

import binascii,os
short_words = [w.strip() for w in file('/usr/dict/words') if len(w) < 8]
assert len(short_words) > 5000
passphrase = []

for i in range(2): # we will generate a 2-word phrase
# generate a random 64 bit integer
a = int(binascii.hexlify(os.urandom(8)), 16)
passphrase.append(short_words[a % len(short_words)])
passphrase = ' '.join(passphrase)

If you want to use the phrase as a cryptography key, use 6 or so words
instead of 2 words.

Any help i will appreciated. Does anyone use os.urandom to cryptography?

Yes, all the time.

 

[Robert Kern]

IMO it's better to use words than strings of letters. Try something
like (untested):

import binascii,os
short_words = [w.strip() for w in file('/usr/dict/words') if len(w) < 8]
assert len(short_words) > 5000
passphrase = []

for i in range(2): # we will generate a 2-word phrase
# generate a random 64 bit integer
a = int(binascii.hexlify(os.urandom(8)), 16)
passphrase.append(short_words[a % len(short_words)])
passphrase = ' '.join(passphrase)

If you want to use the phrase as a cryptography key, use 6 or so words
instead of 2 words.

Indeed. I like to generate {64,128}-bit-strong passphrases using the RFC1751
module provided with pycrypto.

--
Robert Kern
(e-mail address removed)

"In the fields of hell where the grass grows high
Are the graves of dreams allowed to die."
-- Richard Harter