[Python-Dev] Hash collision security issue (now public)

Christian Heimes lists at cheimes.de
Sat Dec 31 04:28:18 CET 2011

Am 31.12.2011 03:19, schrieb Steven D'Aprano:
> How about using a similar strategy to the current dict behaviour with 
> __missing__ and defaultdict? Here's my suggestion:
> - If a dict subclass defines __salt__, then it is called to salt the hash
>    value before lookups. If __salt__ is undefined or None, the current
>    behaviour remains unchanged.

This was my initial proposal, too. It took me a while to figure out that
it won't work. Post-salting won't fix the issue. The random seed must be
used as IV inside hashing algorithm. My brain was still in holiday mode
and it took me a while to figure out the math. Sorry for any confusion!


More information about the Python-Dev mailing list