id,summary,reporter,owner,description,type,status,priority,milestone,component,resolution,keywords,cc,branch,branch_author,launchpad_bug 4469,conch uses PyCrypto getRandomNumber(),zooko,,"conch uses PyCrypto's getRandomNumber() function. That function is documented in the latest versions of PyCrypto as being for internal use only: """""" This function is for internal use only and may be renamed or removed in the future. """""" http://gitweb.pycrypto.org/?p=crypto/pycrypto-2.x.git;a=blob;f=lib/Crypto/Util/number.py;h=4bff7f0fc1cb51deb625ff3202d1c82a81e0af65;hb=HEAD#l61 In addition, {{{getRandomNumber(numbits)}}} doesn't return a random number >= 0 and < 2^numbits^, as you might expect, but instead it always sets the high bit, so it returns a random number >= 2^numbits-1^ and < 2^numbits^. This is not documented in older releases of PyCrypto but is documented in the current git head: """""" NOTE: Confusingly, this function does NOT return N random bits; It returns a random N-bit number, i.e. a random number between 2**(N-1) and (2**N)-1. """""" Since conch uses {{{getRandomNumber()}}} to generate Diffie-Hellman secret keys ([source:trunk/twisted/conch/ssh/transport.py@28979#L738 here], [source:trunk/twisted/conch/ssh/transport.py@28979#L806 here], [source:trunk/twisted/conch/ssh/transport.py@28979#L915 here], and [source:trunk/twisted/conch/ssh/transport.py@28979#L961 here]), conch is therefore accidentally generating keys slightly weaker than intended. [http://tools.ietf.org/html/rfc2631 RFC 2631] says of Diffie-Hellman secret keys: """""" X9.42 requires that the private key x be in the interval [2, (q - 2)]. x should be randomly generated in this interval. """""" I don't know why it excludes {{{q-2}}} as a valid value. {{{conch}}} currently has a non-zero but negligible chance of accidentally choosing {{{q-2}}} as its secret key. Here is some untested code that probably generates the right sort of values without using PyCrypto: {{{ import binascii def log_ceil(n, b): """""" The smallest integer k such that b^k >= n. log_ceil(n, 2) is the number of bits needed to store any of n values, e.g. the number of bits needed to store any of 128 possible values is 7. """""" p = 1 k = 0 while p < n: p *= b k += 1 return k def next_multiple(n, k): """""" The smallest multiple of k which is >= n. Note that if n is 0 then the answer is 0. """""" return div_ceil(n, k) * k def bytes_to_long(bytes): return int(binascii.hexlify(candidatebytes), 16) def secrandrange(rng, lowerbound, upperbound): interval = upperbound-lowerbound sizbits = log_ceil(interval, 2) sizbytes = next_multiple(sizbits, 8) while True: candidate = bytes_to_long(rng(sizbytes)) if candidate < interval: return candidate + lowerbound x = secrandrange(os.urandom, 2, q-1) }}}",defect,closed,high,,conch,fixed,security,zooko zooko@…,branches/conch-without-getrandomnumber-4469,,