[Python-Dev] Hash collision security issue (now public)
solipsis at pitrou.net
Mon Jan 2 13:01:05 CET 2012
On Sun, 1 Jan 2012 21:55:52 -0800
Paul McMillan <paul at mcmillan.ws> wrote:
> This is similar to the change proposed by Christian Heimes.
> Most importantly, I moved the xor with r[x % len_r] down a line.
> Before, it wasn't being applied to the last character.
Shouldn't it be r[i % len(r)] instead?
(refer to yesterday's #python-dev discussion)
> I think Ruby uses FNV-1 with a salt, making it less vulnerable to
> this. FNV is otherwise similar to our existing hash function.
Again, we could re-use FNV-1's primes, since they claim they have
better dispersion properties than the average prime.
More information about the Python-Dev