Is Go susceptible to hash floods?

agolangf · · 542 次点击    
这是一个分享于 的资源,其中的信息可能已经有所发展或是发生改变。
<p>So I watching this <a href="https://www.youtube.com/watch?v=wGYj8fhhUVA">informative video </a> that pointed out that several prominent languages were vulnerable to hash floods (although its fixed now), I would like to know the status of the same for Go on this one. I am asking because I am not aware of the internal working, so this may even be *Not Applicable * kinda question!!</p> <p><a href="https://131002.net/siphash/siphashdos_appsec12_slides.pdf">Here is more on hash flood</a></p> <hr/>**评论:**<br/><br/>dgryski: <pre><p>&#34;Probably not&#34;. The internal hash table has always (pre-1.0) had a per-table seed which is mixed with they key to make it difficult to have off-line attacks against the hash function. The hash rewrite in 1.4 produced a &#34;complicated&#34; hash function which has not been analyzed though.</p> <p>The upcoming 1.6 includes a patch to make it harder to engineer collisions: <a href="https://github.com/golang/go/commit/91059de095703ebc4ce6b8bad7a0a40dedeef7dc">https://github.com/golang/go/commit/91059de095703ebc4ce6b8bad7a0a40dedeef7dc</a></p></pre>Ainar-G: <pre><p>After some googling I&#39;ve found <a href="https://github.com/golang/go/issues/9365">this issue</a> with lots of info on the topic. In particular, Ian Lance Taylor wrote:</p> <blockquote> <p>I am not a crypto expert. But I believe that the Go runtime is somewhat resistant to this kind of attack because every map uses an individual hash seed that is chosen randomly at run time. Since an attacker who is not on the local machine has very limited visibility into map lookup times, I think it would be quite difficult to run such an attack remotely.</p> </blockquote></pre>drvd: <pre><p>No.</p></pre>

入群交流(和以上内容无关):加入Go大咖交流群,或添加微信:liuxiaoyan-s 备注:入群;或加QQ群:692541889

542 次点击  
加入收藏 微博
暂无回复
添加一条新回复 (您需要 登录 后才能回复 没有账号 ?)
  • 请尽量让自己的回复能够对别人有帮助
  • 支持 Markdown 格式, **粗体**、~~删除线~~、`单行代码`
  • 支持 @ 本站用户;支持表情(输入 : 提示),见 Emoji cheat sheet
  • 图片支持拖拽、截图粘贴等方式上传