Why isn't random.randbytes() secure if the seed can be both time or entropy from /dev/urandom?

Question

/dev/urandom is used in the much more recommended secrets.py library. It is also said that random module makes use of either current time or the system entropy from /dev/urandom. Then:

• What seed does it use by default? Is it time or entropy from /dev/urandom when I do not myself define a seed?

• If it uses /dev/urandom by default then it should be as safe as secrets module.

Ps I have looked at a similar question that was asked. My curiosity still wasn't full-filled as the former question remains unanswered.

This question only came up after I looked at https://github.com/tna0y/Python-random-module-cracker

Answer 1

The cracker you linked to shows that it can predict future values based on previous values. So imagine this (extreme) case: For some encryption you build a public key with 624*32 random bits and then a private key with 624*32 random bits. Then we can compute your private key from your public key. Not good.

Demo result:

47 out of 100 private keys cracked

Demo code:

import random, os
from randcrack import RandCrack

def create_keys():
    random.seed(os.urandom(10000))
    public_key = [random.getrandbits(32) for _ in range(624)]
    private_key = [random.getrandbits(32) for _ in range(624)]
    return public_key, private_key

def crack(public_key):
    rc = RandCrack()
    for x in public_key:
        rc.submit(x)
    cracked_private_key = [rc.predict_getrandbits(32) for _ in range(624)]
    return cracked_private_key

def demo():
    cracked = 0
    for attempt in range(1, 101):
        public_key, private_key = create_keys()
        cracked += crack(public_key) == private_key
        print(cracked, 'out of', attempt, 'private keys cracked')

demo()