[issue13703] Hash collision security issue
Martin v. Löwis
report at bugs.python.org
Wed Feb 15 09:25:02 CET 2012
Martin v. Löwis <martin at v.loewis.de> added the comment:
> Frankly, other short strings may give away even more, because you can
> put several into the same dict.
Please don't make such claims without some reasonable security analysis:
how *exactly* would you derive the hash seed when you have the hash
values of all 256 one-byte strings (or all 2**20 one-char Unicode
strings)?
> I would prefer that the randomization not kick in until strings are at
> least 8 characters, but I think excluding length 1 is a pretty obvious
> win.
-1. It is very easy to create a good number of hash collisions already
with 6-character strings. You are opening the security hole again that
we are attempting to close.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue13703>
_______________________________________
More information about the Python-bugs-list
mailing list