Re: Hash Table Collisions (n.runs-SA-2011.004)

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Hash Table Collisions (n.runs-SA-2011.004)
From: Leo Razoumov <slonik.az@...>
Date: Mon, 2 Jan 2012 08:35:53 -0500

On Sun, Jan 1, 2012 at 12:48, Vladimir Protasov <eoranged@ya.ru> wrote:
> To avoid the problem we just should generate random salt at lua startup, then use it during hash generation. It will prevent attacker to guess which values will be placed in the same bucket.
> Also, check out Jenkins One-at-a-time hash, for example, here: http://en.wikibooks.org/wiki/Algorithm_implementation/Hashing
> If you'll initialize variable hash with a random number generated at startup time, like
>
>    uint32 joaat_hash(uchar *key, size_t key_len) {
>        uint32 hash = LUA_GENERATED_ON_STARTUP_SEED;
>        ...
>
> the attacker will not be able to guess which values will have the same hash, so It will not be easy to exploit this.
>

Salt would not help if one keeps ignoring characters the way Lua does.
Two strings that differ only in those characters that are ignored by
the hash function still hash to the same value.

--Leo--

Follow-Ups:
- Re: Hash Table Collisions (n.runs-SA-2011.004), David Kolf
- Re: Hash Table Collisions (n.runs-SA-2011.004), Vladimir Protasov

References:
- Re: Hash Table Collisions (n.runs-SA-2011.004), TNHarris
- Re: Hash Table Collisions (n.runs-SA-2011.004), Mark Hamburg
- Re: Hash Table Collisions (n.runs-SA-2011.004), Tom N Harris
- Re: Hash Table Collisions (n.runs-SA-2011.004), Mark Hamburg
- Re: Hash Table Collisions (n.runs-SA-2011.004), Vladimir Protasov

Prev by Date: RE: Lua 5.2 & SWIG compatibility problem
Next by Date: Re: Hash Table Collisions (n.runs-SA-2011.004)
Previous by thread: Re: Hash Table Collisions (n.runs-SA-2011.004)
Next by thread: Re: Hash Table Collisions (n.runs-SA-2011.004)
Index(es):
- Date
- Thread