[issue13703] Hash collision security issue
Christian Heimes
report at bugs.python.org
Thu Jan 5 01:53:57 CET 2012
Christian Heimes <lists at cheimes.de> added the comment:
Given that a user has an application with an oracle function that returns the hash of a unicode string, an attacker can probe tenth of thousand one and two character unicode strings. That should give him/her enough data to calculate both seeds. hash("") already gives away lots of infomration about the seeds, too.
- hash("") should always return 0
- for small strings we could use a different seed than for larger strings
- for larger strings we could use Paul's algorithm but limit the XOR op to the first and last 16 elements instead of all elements.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue13703>
_______________________________________
More information about the Python-bugs-list
mailing list