Christian Heimes <[email protected]> added the comment:
Given that a user has an application with an oracle function that returns the
hash of a unicode string, an attacker can probe tenth of thousand one and two
character unicode strings. That should give him/her enough data to calculate
both seeds. hash("") already gives away lots of infomration about the seeds,
too.
- hash("") should always return 0
- for small strings we could use a different seed than for larger strings
- for larger strings we could use Paul's algorithm but limit the XOR op to the
first and last 16 elements instead of all elements.
----------
_______________________________________
Python tracker <[email protected]>
<http://bugs.python.org/issue13703>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
