Am Freitag, den 30.12.2011, 18:06 +0100 schrieb Xavier Leroy:
> > 3) Use "randomized" hash tables. The trick here is that there is not a
> > single hash function h anymore, but a family h(1)...h(n). When the hash
> > table is created, one of the functions is picked randomly. This makes it
> > impossible to craft an attack request, because you cannot predict the
> > function.
>
> Indeed. The optional "seed" parameter to Hashtbl.create does exactly
> this in the new implementation of Hashtbl (the one based on Murmur3).
I see. It will be available in 3.13:
val create : ?seed:int -> int -> ('a, 'b) t
There is also an additional functorized interface where this seed
argument exists (Hashtbl.MakeSeeded), and the hash functions seeded_hash
and seeded_hash_param. Well done!
Nevertheless, as we all don't know when 3.13 is ready, I'll have to find
a temporary fix for Ocamlnet. Maybe just a limit for the number of POST
parameters.
> > So, the question is how to do 3). I see two problems here:
> >
> > a) how to define the family of hash functions. Is it e.g. sufficient to
> > introduce an initialization vector for the Murmurhash algorithm, and
> > fill it randomly?
>
> IIRC, the Web pages for the Murmur family of hashes gives some
> statistical evidence that this approach works.
>
> > How to get a random number that is good enough?
>
> Hmm. /dev/random is your friend on the platforms that support it.
> Otherwise, there's always the Random module, but Random.self_init
> isn't very strong.
Well, /dev/(u)random covers most Unix platforms nowadays. If you are
interested, I have a wrapper for Win32:
https://godirepo.camlcity.org/svn/lib-ocamlnet2/trunk/code/src/netsys/netsys_c_win32.c
Scroll down until netsys_fill_random.
Gerd
--
------------------------------------------------------------
Gerd Stolpmann, Darmstadt, Germany g...@gerd-stolpmann.de
Creator of GODI and camlcity.org.
Contact details: http://www.camlcity.org/contact.html
Company homepage: http://www.gerd-stolpmann.de
------------------------------------------------------------
--
Caml-list mailing list. Subscription management and archives:
https://sympa-roc.inria.fr/wws/info/caml-list
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners
Bug reports: http://caml.inria.fr/bin/caml-bugs
