Generating crypto-secure strings for OAuth tokens

Question

I want to generate tokens and keys that are random strings. What is the acceptable method to generate them?

Is generating two UUIDs via standard library functions and concatenating them acceptable?

Answer 1

Computers (without special hardware) can only generate pseudo random data. After a while, all speudo-random number generators will start to repeat themselves. The amount of data it can generate before repeating itself is called the period.

A very popular pseudo-random number (also used in Python in the random module) generator is the Mersenne Twister. But it is deemed not suitable for cryptographic purposes, because it is fairly easy to predict the next iteration after observing only a relatively small number of iterates.

See the Wikipedia page on cryptographically secure pseudo-random number generators for a list of algorithms that seem suitable.

Operating systems like FreeBSD, OpenBSD and OS X use the Yarrow algorithm for their urandom devices. So on those systems using os.urandom might be OK, because it is well-regarded as being cryptographically secure.

Of course what you need to use depends to a large degree on how high your requirements are; how secure do you want it to be? In general I would advise you to use published and tested implementations of algorithms. Writing your own implementation is too easy to get wrong.

Edit: Computers can gather random data by watching e.g. the times at which interrupts arrive. This however does not supply a large amount of random data, and it is therefore often used to seed a PRNG.

Answer 2

os.urandom provides access to the operating systems random number generator

EDIT: If you are using linux and are very concerned about security, you should use /dev/random/ directly. This call will block until sufficient entropy is available.