Improper use of random module

Christian Heimes made the following report to the Plone security team:

---

Hello,

yesterday a security researcher claimed on the Python bug tracker that
he had found a security issue in Python's random module which affects
several Python web frameworks [1]. He stated that the deterministic
results of the random module can lead to breach in security. The
ticket was closed by me after we explained that the random module is
deliberately designed to create deterministic and thus predictable
random value. Its Mersenne-Twister creates statistically well
distributed numbers and not cryptographically strong random data.

In other words the random module is not a CPRNG [2] and must not be
used for any crypto and security related usage. random.SystemRandom is
only the exception to the rule as it uses os.urandom() as PRNG source.
os.urandom() is suitable for most cryptographic purposes except for
long-lived data like SSL certs.

Plone, Zope, Paste and possible other 3rd party components are using
the random module where a CPRNG is required. I suggest that you modify
your code and replace the random module with either an instance of
random.SystemRandom or os.urandom(). Improper use for the random
module are for example:

    password creation
    salt
    session keys
    digest auth
    non-deterministic ids (e.g. uuid, etags)

os.urandom() may not be available on some systems and raise
NotImplementedError. The Django and CherryPy sources contain good
examples how to deal with it.

Regards
Christian

---

In Zope2, at least AccessControl.AuthEncoding and Products.Sessions.BrowserIdManager should probably be updated to use SystemRandom when available.