With a small number of buckets, it seems to me that no hash algo will make you safe from a flooding attack. You can simply generate your hashes locally using whichever algo the server uses, and only send those that fit into your attack scheme. The data could even be pre-generated.
The only way to guard against a flood that makes sense to me is to limit the number of items that can be accepted before deciding you're being trolled. On Wed, 2017-01-11 at 23:29 +0000, J. J. Farrell wrote: > Are the issues you raise true of SipHash, given that a prime motivator > for its design was generating hash tables for short inputs while being > secure against hash flooding attacks? It achieves this with the > performance of a portable C implementation the order of four times > faster than MD5, and not much slower than other modern hash > algorithms. > > I'd have thought the main thing to consider is whether or not there is > any practical way a hash flooding attack could be used against > OpenSSL's hash tables, and it sounds like there isn't. In that case, > the fastest algorithm for the usage patterns would be best. > > Regards, > jjf > > On 11/01/2017 22:25, Peter Waltenberg wrote: > > > And the reason I said you certainly don't need a keyed hash ? > > > > Behaviour of the hash function will change with key and in some > > cases performance would degenerate to that of a linked list. (Ouch). > > And since the obvious thing to do is use a random key, OpenSSL's > > performance would get *very* erratic. > > > > Simpler functions than cryptographic hashes will almost certainly > > yield better results here. I note someone further up the thread > > someone else has pointed that out. > > > > Peter > > > > From: "Salz, Rich" <rs...@akamai.com> > > To: "openssl-dev@openssl.org" <openssl-dev@openssl.org> > > Date: 11/01/2017 13:14 > > Subject: Re: [openssl-dev] use SIPhash for > > OPENSSL_LH_strhash? > > Sent by: "openssl-dev" <openssl-dev-boun...@openssl.org> > > > > ____________________________________________________________________ > > > > The needs for OpenSSL's LHASH are exactly what SipHash was designed > > for: fast on short strings. > > OpenSSL's hash currently *does not* call MD5 or SHA1; the MD5 code > > is commented out. > > Yes, performance tests would greatly inform the decision. > > -- > J. J. Farrell > Not speaking for Oracle > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
