[Python-Dev] Status of the fix for the hash collision vulnerability

Gregory P. Smith greg at krypto.org
Sat Jan 14 03:34:48 CET 2012

• Previous message: [Python-Dev] Status of the fix for the hash collision vulnerability
• Next message: [Python-Dev] Status of the fix for the hash collision vulnerability
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

btw, Tim's commit message on this one is amusingly relevant. :)
 http://hg.python.org/cpython/diff/8d2bbbbf2cb9/Objects/dictobject.c
On Fri, Jan 13, 2012 at 6:25 PM, Gregory P. Smith <greg at krypto.org> wrote:
>>> Clearly these ideas are more complex than adding randomization, but
>> adding randomization doesn't seem to be produce immunity from attack, when
>> data about the randomness is leaked.
>>>> Which will not normally happen.
>> I'm firmly in the camp that believes the random seed can be probed and
> determined by creatively injecting values and measuring timing of things.
> But doing that is difficult and time and bandwidth intensive so the per
> process random hash seed is good enough.
>> There's another elephant in the room here, if you want to avoid this
> attack use a 64-bit Python build as it uses 64-bit hash values that are
> significantly more difficult to force a collision on.
>> -gps
>-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20120113/bfe8d3f3/attachment.html>

---

• Previous message: [Python-Dev] Status of the fix for the hash collision vulnerability
• Next message: [Python-Dev] Status of the fix for the hash collision vulnerability
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

More information about the Python-Dev mailing list