[Python-Dev] Hash collision security issue (now public)
Christian Heimes
lists at cheimes.de
Sat Dec 31 04:28:18 CET 2011
Am 31.12.2011 03:19, schrieb Steven D'Aprano:
> How about using a similar strategy to the current dict behaviour with
> __missing__ and defaultdict? Here's my suggestion:
>
>
> - If a dict subclass defines __salt__, then it is called to salt the hash
> value before lookups. If __salt__ is undefined or None, the current
> behaviour remains unchanged.
This was my initial proposal, too. It took me a while to figure out that
it won't work. Post-salting won't fix the issue. The random seed must be
used as IV inside hashing algorithm. My brain was still in holiday mode
and it took me a while to figure out the math. Sorry for any confusion!
Christian
More information about the Python-Dev
mailing list