Author christian.heimes
Recipients Arfrever, Mark.Shannon, PaulMcMillan, Zhiping.Deng, alex, barry, benjamin.peterson, christian.heimes, dmalcolm, eric.araujo, georg.brandl, gvanrossum, jcea, lemburg, pitrou, terry.reedy, vstinner
Date 2012-01-05.00:53:57
SpamBayes Score 4.23271e-08
Marked as misclassified No
Message-id <1325724837.8.0.410157062214.issue13703@psf.upfronthosting.co.za>
In-reply-to
Content
Given that a user has an application with an oracle function that returns the hash of a unicode string, an attacker can probe tenth of thousand one and two character unicode strings. That should give him/her enough data to calculate both seeds. hash("") already gives away lots of infomration about the seeds, too.

- hash("") should always return 0

- for small strings we could use a different seed than for larger strings

- for larger strings we could use Paul's algorithm but limit the XOR op to the first and last 16 elements instead of all elements.
History
Date User Action Args
2012-01-05 00:53:57christian.heimessetrecipients: + christian.heimes, lemburg, gvanrossum, barry, georg.brandl, terry.reedy, jcea, pitrou, vstinner, benjamin.peterson, eric.araujo, Arfrever, alex, dmalcolm, Mark.Shannon, Zhiping.Deng, PaulMcMillan
2012-01-05 00:53:57christian.heimessetmessageid: <1325724837.8.0.410157062214.issue13703@psf.upfronthosting.co.za>
2012-01-05 00:53:57christian.heimeslinkissue13703 messages
2012-01-05 00:53:57christian.heimescreate