Re: Re: order of hash -- entropy requirements?

Exhausting entropy like that is a serious problem for some applications. However, I doubt it's a big deal for Perl.

The problem the increased hash randomness was trying to solve was that certain well-crafted inputs would expand the internal data structures, thus consuming a lot more resources and becoming a potential DoS attack (the attack can be generalized to be used on many languages and algorithms, not just Perl's hashes). By putting a little randomization in the hash, it becomes much harder for an attacker to predict how the datastructure will expand.

The random number generator used need not be from an extremely high quality source. Just enough that an attacker won't be able to predict the hash seeds. It would be pretty easy to foil a remote attacker this way, but a bit harder for a local attacker, depending on their system priviliges.

----
I wanted to explore how Perl's closures can be manipulated, and ended up creating an object system by accident.
-- Schemer

: () { :|:& };:

Note: All code is untested, unless otherwise stated

Comment on Re: Re: order of hash -- entropy requirements? Download Code

Replies are listed 'Best First'.
Re: Re: Re: order of hash -- entropy requirements? by mattr (Curate) on Nov 05, 2003 at 07:22 UTC
Thank you very much for your illumination! I had no entropy problems just now creating 100,000 small hashes so I guess the seed is being chosen without using /dev/random at all. Thanks again. --Matt	[reply]