[openssl-dev] [EXTERNAL] Re: use SIPhash for OPENSSL_LH_strhash?

Jeremy Farrell jeremy.farrell at oracle.com
Thu Jan 12 01:16:49 UTC 2017 

For something like SipHash, knowing "whichever algo the server uses" 
effectively implies knowing the 128-bit random key currently being used 
for the hash table in question.

Regards,
                           jjf

On 12/01/2017 00:39, Sands, Daniel wrote:
> With a small number of buckets, it seems to me that no hash algo will
> make you safe from a flooding attack.  You can simply generate your
> hashes locally using whichever algo the server uses, and only send those
> that fit into your attack scheme.  The data could even be pre-generated.
>
> The only way to guard against a flood that makes sense to me is to limit
> the number of items that can be accepted before deciding you're being
> trolled.
>
> On Wed, 2017-01-11 at 23:29 +0000, J. J. Farrell wrote:
>> Are the issues you raise true of SipHash, given that a prime motivator
>> for its design was generating hash tables for short inputs while being
>> secure against hash flooding attacks? It achieves this with the
>> performance of a portable C implementation the order of four times
>> faster than MD5, and not much slower than other modern hash
>> algorithms.
>>
>> I'd have thought the main thing to consider is whether or not there is
>> any practical way a hash flooding attack could be used against
>> OpenSSL's hash tables, and it sounds like there isn't. In that case,
>> the fastest algorithm for the usage patterns would be best.
>>
>> Regards,
>>                            jjf
>>
>> On 11/01/2017 22:25, Peter Waltenberg wrote:
>>
>>> And the reason I said you certainly don't need a keyed hash ?
>>>
>>> Behaviour of the hash function will change with key and in some
>>> cases performance would degenerate to that of a linked list. (Ouch).
>>> And since the obvious thing to do is use a random key, OpenSSL's
>>> performance would get *very* erratic.
>>>
>>> Simpler functions than cryptographic hashes will almost certainly
>>> yield better results here. I note someone further up the thread
>>> someone else has pointed that out.
>>>
>>> Peter
>>>
>>> From:        "Salz, Rich" <rsalz at akamai.com>
>>> To:        "openssl-dev at openssl.org" <openssl-dev at openssl.org>
>>> Date:        11/01/2017 13:14
>>> Subject:        Re: [openssl-dev] use SIPhash for
>>> OPENSSL_LH_strhash?
>>> Sent by:        "openssl-dev" <openssl-dev-bounces at openssl.org>
>>>
>>> ____________________________________________________________________
>>>
>>> The needs for OpenSSL's LHASH are exactly what SipHash was designed
>>> for: fast on short strings.
>>> OpenSSL's hash currently *does not* call MD5 or SHA1; the MD5 code
>>> is commented out.
>>> Yes, performance tests would greatly inform the decision.
>> -- 
>> J. J. Farrell
>> Not speaking for Oracle
>> -- 
>> openssl-dev mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

-- 
J. J. Farrell
w: +44 161 493 4838

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20170112/72c79fa5/attachment.html>

More information about the openssl-dev mailing list