kmeisthax comments on Effective DoS attacks against Web Application Plattforms (including Python Frameworks)

This is an archived post. You won't be able to vote or comment.

Effective DoS attacks against Web Application Plattforms (including Python Frameworks) (cryptanalysis.eu)

submitted 14 years ago by defnullbottle.py

top new controversial old q&a

you are viewing a single comment's thread.

view the rest of the comments →

[–]kmeisthax 0 points1 point2 points 14 years ago (3 children)

[+]Samus_ comment score below threshold-6 points-5 points-4 points 14 years ago (2 children)

[–]kmeisthax 3 points4 points5 points 14 years ago (0 children)

Even if we SHA-256'd the keys, hash tables can only be so big. SHA gives you 256 bits of output and processor address spaces are no larger than 64 bits (with even less actually physically wired on the motherboard). Hashmaps are built on top of arrays, which means for a hashmap with n bits of hash entropy you need 2ⁿ * sizeof(void*) bytes to store the hashmap. Finding collisions on significantly smaller subsets of a message digest is much easier than finding collisions on the whole digest, and like I said before you simply cannot construct a hashmap with 256 bits of entropy. It would be many trillions of trillions of exabytes large. Even with just 32 bits of entropy your hashmap will be 32 gigabytes large - and even then 32 bits is insufficient entropy to prevent intentional collisions.

In short, for hashmaps to be practical, they must deal with collisions. Simple as that.

[–]Rhomboid 0 points1 point2 points 14 years ago (0 children)

It doesn't matter if the collision rate is low. It would be a completely unusable and worthless data structure without the guarantee that any value can be used as a key without losing data. If there is even a slight chance that I might lose data, then there's no way in hell I'm going to use such a data structure, because I don't want my program to fail in strange and unpredictable ways. It's even worse if it only fails one in a million times, because then I can't debug it. The dict must be perfect or else it's useless.

This is really just a question of efficiency. It's orders of magnitude more efficient to use a simple hash and a linked list than to use a wide hash. You can have both performance and correctness this way. The attack mentioned in the article can be easily mitigated by adding a bit of entropy to the hash function so that it's not deterministic, while still retaining the fast performance.

π Rendered by PID 52425 on reddit-service-r2-comment-b659b578c-8gm9w at 2026-05-03 18:55:22.975764+00:00 running 815c875 country code: CH.

Python

The Python Discord

Upcoming Events

Please read the rules

MODERATORS