[Python-Dev] Counting collisions for the win
"Martin v. Löwis"
martin at v.loewis.de
Fri Jan 20 10:34:09 CET 2012
> The last solution is very simple: count collision and raise an
> exception if it hits a limit. The path is something like 10 lines
> whereas the randomized hash is more close to 500 lines, add a new
> file, change Visual Studio project file, etc. First I thaught that it
> would break more applications than the randomized hash
The main issue with that approach is that it allows a new kind of attack.
An attacker now needs to find 1000 colliding keys, and submit them
one-by-one into a database. The limit will not trigger, as those are
just database insertions.
Now, if the applications also as a need to read the entire database
table into a dictionary, that will suddenly break, and not for the
attacker (which would be ok), but for the regular user of the
application or the site administrator.
So it may be that this approach actually simplifies the attack, making
the cure worse than the disease.
Regards,
Martin
More information about the Python-Dev
mailing list