Am 13.01.2012 02:24, schrieb Victor Stinner:
My patch doesn't fix the DoS, it just make the attack more complex.
The attacker cannot pregenerate data for an attack: (s)he has first to
compute the hash secret, and then compute hash collisions using the
secret. The hash secret is a least 64 bits long (128 bits on a 64 bit
system). So I hope that computing collisions requires a lot of CPU
time (is slow) to make the attack ineffective with today computers.
Unfortunately it requires only a few seconds to compute enough 32bit
collisions on one core with no precomputed data. I'm sure it's possible
to make this less than a second.
In fact, since hash(X) == hash(Y) is independent of the suffix [ hash(X)
^ suffix == hash(Y) ^ suffix ], a lot of precomputation (from the tail)
is possible.
So the question is: How difficult is it to guess the seed?
Frank
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
