[Python-Dev] Status of the fix for the hash collision vulnerability (original) (raw)
Gregory P. Smith greg at krypto.org
Sat Jan 14 03:34:48 CET 2012
- Previous message: [Python-Dev] Status of the fix for the hash collision vulnerability
- Next message: [Python-Dev] Status of the fix for the hash collision vulnerability
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
btw, Tim's commit message on this one is amusingly relevant. :)
http://hg.python.org/cpython/diff/8d2bbbbf2cb9/Objects/dictobject.c
On Fri, Jan 13, 2012 at 6:25 PM, Gregory P. Smith <greg at krypto.org> wrote:
Clearly these ideas are more complex than adding randomization, but adding randomization doesn't seem to be produce immunity from attack, when data about the randomness is leaked.
Which will not normally happen. I'm firmly in the camp that believes the random seed can be probed and determined by creatively injecting values and measuring timing of things. But doing that is difficult and time and bandwidth intensive so the per process random hash seed is good enough. There's another elephant in the room here, if you want to avoid this attack use a 64-bit Python build as it uses 64-bit hash values that are significantly more difficult to force a collision on. -gps -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20120113/bfe8d3f3/attachment.html>
- Previous message: [Python-Dev] Status of the fix for the hash collision vulnerability
- Next message: [Python-Dev] Status of the fix for the hash collision vulnerability
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]