[Python-Dev] [issue13703] Hash collision security issue (original) (raw)

Antoine Pitrou solipsis at pitrou.net
Sat Jan 28 02:13:40 CET 2012

• Previous message: [Python-Dev] [issue13703] Hash collision security issue
• Next message: [Python-Dev] [issue13703] Hash collision security issue
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 28 Jan 2012 01:53:40 +0100 martin at v.loewis.de wrote:

> How so? None of the patches did, but I think it was said several times > that other types (int, tuple, float) could also be converted to use > randomized hashes. What's more, there isn't any technical difficulty in > doing so. The challenge again is about incompatibility: the more types you apply this to, the higher the risk of breaking third-party code. Plus you still risk that the hash seed might leak out of the application, opening it up again to the original attack.

Attacks on the hash seed are a different level of difficulty than sending a well-known universal payload to a Web site.

Unless the application leaks hash() values directly, you have to guess them from the dict ordering observed in the application's output. IMHO it's ok if our hash function is vulnerable to cryptanalysts rather than script kiddies.

Regards

Antoine.

• Previous message: [Python-Dev] [issue13703] Hash collision security issue
• Next message: [Python-Dev] [issue13703] Hash collision security issue
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list