Memcache密钥生成策略 [英] Memcache key generation strategy

问题描述

给定函数 f1 接收n个String参数，在运行时性能方面，memcache的随机密钥生成策略会被认为更好吗？

Given function f1 which receives n String arguments, what would be considered better ,in terms of runtime performance, random key generation strategy for memcache?

我们的Memcache客户端对其获得的密钥执行内部md5sum散列：

Our Memcache client does internal md5sum hashing on the keys it gets:

   public class MemcacheClient {  
       public Object get(String key) {
            String md5 = Md5sum.md5(key)
            // Talk to memcached to get the Serialization... 
            return memcached(md5);
       }
   }

我的使用场景是：

    public static String f1(String s1, String s2, String s3, String s4) {
         String key = s1 +  s2 + s3 + s4;
         return get(key);
    }

第二个选项

Second option

    /**
     * Calculate hash from Strings
     *
     * @param objects vararg list of String's
     *
     * @return calculated md5sum hash
     */
    public static String stringHash(Object... strings) {
        if(strings == null) 
            throw new NullPointerException("D'oh! Can't calculate hash for null");

        MD5 md5sum = new MD5();

//      if(prevHash != null)
//          md5sum.Update(prevHash);

        for(int i = 0; i < strings.length; i++) {
            if(strings[i] != null) {
                md5sum.Update("_"); 
                md5sum.Update(strings[i].toString()); // Convert to String...
                md5sum.Update("_");

            } else {
                // If object is null, allow minimum entropy  by hashing it's position
                md5sum.Update("_");
                md5sum.Update(i);
                md5sum.Update("_");
            }
        }

        return md5sum.asHex();
    }


    public static String f1(String s1, String s2, String s3, String s4) {
         String key = stringHash(s1, s2, s3, s4);
         return get(key);
    }

请注意第二个选项可能存在的问题是我们正在做第二个md5sum （在memcache客户端中）已有md5sum的摘要结果。

Note that the possible problem with the second option is that we are doing second md5sum (in the memcache client) on an already md5sum'ed digest result.

感谢阅读，
Maxim。

Thanks for reading, Maxim.

- 编辑
使用 MD5实用程序源

推荐答案

只是挑剔，但你可能不希望随机密钥生成，密钥生成应该是 deterministic ，但应该在密钥空间中生成统一分布。

Just nitpicking, but you probably don't want random key generation, the key generation should be deterministic, but should generate a uniform distribution in the key space.

如果你只考虑意外碰撞，那么第一种方法几乎没问题。您应该在字符串前面加上它们的长度，这样当子字符串从一个param移动到另一个param时就不会发生冲突。鉴于md5非常好的雪崩属性，可以确保意外碰撞很少被忽略。

If you consider only accidental collisions, then the first approach is almost fine. You should prefix the strings with their length so you don't get collisions when a substring moves from one param to another. Given md5's pretty good avalanche properties that will ensure that accidental collisions are rare enough to be ignored.

但是如果处理用户输入，请小心MD5，它已经知道碰撞攻击。如果不受信任的用户可以为函数参数选择一些任意字节并返回错误的结果会产生安全隐患，那么您就会遇到安全漏洞。例如，如果您使用它来缓存授权信息，攻击者可以计算出两组散列为单个值的参数。一个人可以访问公共内容，另一个访问受保护的服务。现在只需要使用第一组请求授权，获取缓存的授权，然后使用另一组访问受保护的服务，从缓存的授权中接收绿灯。

But be careful with MD5 if you process user input, it has known collision attacks. If an untrusted user can pick some arbitrary bytes for the function parameters and returning a wrong result can have security implications, then you have a security hole. For instance if you use this to cache authorization info, an attacker could work out two sets of parameters that hash to a single value. One would access something public and the other accesses a protected service. Now just request authorization with the first set, get the authorization cached and then access the protected service with the other set, receiving a green light from the cached authorization.

这篇关于Memcache密钥生成策略的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！