This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author christian.heimes
Recipients Arfrever, Mark.Shannon, PaulMcMillan, Zhiping.Deng, alex, barry, benjamin.peterson, christian.heimes, dmalcolm, eric.araujo, georg.brandl, gvanrossum, jcea, lemburg, pitrou, terry.reedy, vstinner
Date 2012-01-05.00:53:57
SpamBayes Score 4.2327066e-08
Marked as misclassified No
Message-id <1325724837.8.0.410157062214.issue13703@psf.upfronthosting.co.za>
In-reply-to
Content 
Given that a user has an application with an oracle function that returns the hash of a unicode string, an attacker can probe tenth of thousand one and two character unicode strings. That should give him/her enough data to calculate both seeds. hash("") already gives away lots of infomration about the seeds, too.

- hash("") should always return 0

- for small strings we could use a different seed than for larger strings

- for larger strings we could use Paul's algorithm but limit the XOR op to the first and last 16 elements instead of all elements.
History
Date User Action Args
2012-01-05 00:53:57christian.heimessetrecipients: + christian.heimes, lemburg, gvanrossum, barry, georg.brandl, terry.reedy, jcea, pitrou, vstinner, benjamin.peterson, eric.araujo, Arfrever, alex, dmalcolm, Mark.Shannon, Zhiping.Deng, PaulMcMillan
2012-01-05 00:53:57christian.heimessetmessageid: <1325724837.8.0.410157062214.issue13703@psf.upfronthosting.co.za>
2012-01-05 00:53:57christian.heimeslinkissue13703 messages
2012-01-05 00:53:57christian.heimescreate