On Thu, Oct 3, 2013 at 12:55 PM, Christian Heimes <christ...@python.org>wrote:
> Am 03.10.2013 21:45, schrieb Guido van Rossum: > > But fixing that shouldn't need all the extra stuff you're > > proposing. > > I have proposed some of the extra stuff for more flexibility, the rest > is for testing and debugging. > Hm, I don't think we need more infrastructure for this. As Antoine said, if you're hacking on this you might as well edit the source. > > What's a Python randomization key? > > Python's hash randomization key, the seed to randomize the output of > hash() for bytes and str. > Is the seed itself crypto-safe? (I.e. is it derived carefully from urandom?) > > SipHash: more secure and about same speed on most systems > > > > Same speed as what? > > Same speed as the current algorithm in Python 3.3 and earlier. > OK, then I have no objection to switching to it, *if* the security issue is really worth fixing. Otherwise it would be better to look for a hash that is *faster*, given your assertion that the current hash is inefficient. > > optimized FNV: faster but with a known issue > > > > What issue? > > Quote from https://131002.net/siphash/#at > --- > Jointly with Martin Boßlet, we demonstrated weaknesses in MurmurHash > (used in Ruby, Java, etc.), CityHash (used in Google), and in Python's > hash. Some of the technologies affected have switched to SipHash. See > this oCERT advisory, and the following resources: > > [...] > > - Python script https://131002.net/siphash/poc.py to recover > the secret seed of the hash randomization in Python 2.7.3 and > 3.2.3 > Sounds a bit like some security researchers drumming up business. If you can run the binary, presumably you can also recover the seed by looking in /proc, right? Or use ctypes or something. This demonstration seems of academic interest only. > --- > > It's all documented in my PEP draft, too. Yeah, there's lots of stuff there. I'm looking for the TL;DR version. :-) -- --Guido van Rossum (python.org/~guido)
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com