[issue13703] Hash collision security issue
Frank Sievertsen
report at bugs.python.org
Mon Feb 6 19:53:41 CET 2012
Frank Sievertsen <python at sievertsen.de> added the comment:
> Agreed; it tops out with a constant, but if it takes only 16 bytes of
> input to force another run through a 1000-long collision, that may
> still be too much leverage.
You should prepare the dict so that you have the collisions-run with a one-byte string or better with an even empty string, not a 16 bytes string.
> BTW: If you set the limit N to e.g. 100 (which is reasonable given
> Victor's and my tests),
100 is probably hard to exploit for a DoS attack. However
it makes it much easier to cause unwanted (future?) exceptions in
other apps.
> So it would take around 3Mb to cause a minute's delay...
How did you calculate that?
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue13703>
_______________________________________
More information about the Python-bugs-list
mailing list