[Python-Dev] Make str/bytes hash algorithm pluggable? (original) (raw)

Guido van Rossum guido at python.org
Thu Oct 3 22:47:23 CEST 2013

• Previous message: [Python-Dev] Make str/bytes hash algorithm pluggable?
• Next message: [Python-Dev] Make str/bytes hash algorithm pluggable?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Oct 3, 2013 at 12:55 PM, Christian Heimes <christian at python.org>wrote:

Am 03.10.2013 21:45, schrieb Guido van Rossum: > But fixing that shouldn't need all the extra stuff you're > proposing.

I have proposed some of the extra stuff for more flexibility, the rest is for testing and debugging.

Hm, I don't think we need more infrastructure for this. As Antoine said, if you're hacking on this you might as well edit the source.

> What's a Python randomization key?

Python's hash randomization key, the seed to randomize the output of hash() for bytes and str.

Is the seed itself crypto-safe? (I.e. is it derived carefully from urandom?)

> SipHash: more secure and about same speed on most systems > > Same speed as what?

Same speed as the current algorithm in Python 3.3 and earlier.

OK, then I have no objection to switching to it, if the security issue is really worth fixing. Otherwise it would be better to look for a hash that is faster, given your assertion that the current hash is inefficient.

> optimized FNV: faster but with a known issue > > What issue?

Quote from https://131002.net/siphash/#at --- Jointly with Martin Boßlet, we demonstrated weaknesses in MurmurHash (used in Ruby, Java, etc.), CityHash (used in Google), and in Python's hash. Some of the technologies affected have switched to SipHash. See this oCERT advisory, and the following resources: [...] - Python script https://131002.net/siphash/poc.py to recover the secret seed of the hash randomization in Python 2.7.3 and 3.2.3

Sounds a bit like some security researchers drumming up business. If you can run the binary, presumably you can also recover the seed by looking in /proc, right? Or use ctypes or something. This demonstration seems of academic interest only.

---

It's all documented in my PEP draft, too.

Yeah, there's lots of stuff there. I'm looking for the TL;DR version. :-)

-- --Guido van Rossum (python.org/~guido) -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20131003/e58e3c26/attachment.html>

• Previous message: [Python-Dev] Make str/bytes hash algorithm pluggable?
• Next message: [Python-Dev] Make str/bytes hash algorithm pluggable?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list