老python哈希从左到右做 - 为什么是坏? [英] Old python hashing done left to right - why is it bad?
问题描述
我想学习如何防御网站的安全攻击。下面的链接显示了一个很好的教程,但我对一个语句感到困惑:
在 http://google-gruyere.appspot.com/part3#3__client_state_manipulation ,在Cookie操作下,Gruyere说Pythons哈希是不安全的,因为它从左到右。
Gruyere应用程序正在使用此来加密数据:
#global cookie_secret;只使用正散列值
h_data = str(hash(cookie_secret + c_data)& 0x7FFFFFF)
c_data是用户名; cookie_secret是一个静态字符串(默认为)
我理解在更安全的哈希函数中,一个更改生成一个新的结果,因为不同的c_data会产生完全不同的哈希!
编辑:怎么去打这样的哈希呢?
注释可能试图得到的是,对于大多数散列函数,如果给你 HASH(m)
然后很容易计算 x
(其中
HASH(m。x)
因此,如果您是用户 ro
HASH(secret。ro)
,那么您可以轻松计算 HASH(secret。root)
,并以其他用户身份登录。 I am trying to learn how to defend against security attacks on websites. The link below shows a good tutorial, but I am puzzled by one statement:
In http://google-gruyere.appspot.com/part3#3__client_state_manipulation , under "Cookie manipulation", Gruyere says Pythons hash is insecure since it hashes from left-to-right.
The Gruyere application is using this to encrypt data:
# global cookie_secret; only use positive hash values
h_data = str(hash(cookie_secret + c_data) & 0x7FFFFFF)
c_data is a username; cookie_secret is a static string (which is just '' by default)
I understand that in more secure hash functions, one change generates a whole new result, but I don't understand why this insecure, because different c_data generates whole different hashes!
EDIT: How would one go about beating a hash like this?
What the comment may be trying to get at is that for most hash functions, if you are given HASH(m)
then it is easy to calculate HASH(m . x)
, for any x
(where .
is concatenation).
Therefore, if you are user ro
, and the server sends you HASH(secret . ro)
, then you can easily calculate HASH(secret . root)
, and login as a different user.
这篇关于老python哈希从左到右做 - 为什么是坏?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!