From: "Richard W.M. Jones" <rich@annexia.org>
To: David MENTRE <dmentre@linux-france.org>
Cc: Gerd Stolpmann <info@gerd-stolpmann.de>, caml users <caml-list@inria.fr>
Subject: Re: [Caml-list] Hardening [Perl's] hash function further
Date: Tue, 19 Nov 2013 08:50:45 +0000 [thread overview]
Message-ID: <20131119085045.GN3162@annexia.org> (raw)
In-Reply-To: <CAC3Lx=ZrsHau9NicrwTjz-Lt7R5ysdrh4S3KVMOc1vZAAhJpvA@mail.gmail.com>
On Tue, Nov 19, 2013 at 08:53:23AM +0100, David MENTRE wrote:
> Hello,
>
> 2013/11/19 Gerd Stolpmann <info@gerd-stolpmann.de>:
> > This article is more or less discussing cryptoattacks on an insecure
> > hash function, and the new versions of the functions are only "better"
> > but in no way safe (which you only get with crypto hashes or
> > dictionaries that don't allow collisions).
>
> Which in turn raises the question: Who has the responsibility to
> implement such hashes that can be exposed to the Internet: OCaml
> standard library or dedicated frameworks like OCamlNet or Ocsigen? In
> other words, shouldn't we keep simple hashes in the OCaml standard
> library (for people making regular programs) and let people making web
> applications chose the proper crypto hash in a specialized library?
In Perl, the hash is a fundamental structure. It has the same
position of importance as the linked list has in functional
languages[1]. Perl doesn't have structs (it uses hashes), it doesn't
have associative arrays (hashes instead), nor objects (hashes again).
In other words it'd be very difficult to write a non-trivial Perl
application that didn't depend on the hash implementation of the Perl
interpreter.
OCaml is different in that Map/Hashtbl are not fundamental to writing
programs. You can write respectable programs without needing to use
those modules at all.
So I think it's probably the job of the web frameworks to keep an eye
on this and perhaps implement cryptographically strong hash tables (as
well as taking many other steps to mitigate attacks).
Rich.
[1] The one time I wrote an OCaml program which spectacularly blew up
in production, it was because I was using an assoc list which managed
to expand to 10000's of entries.
--
Richard Jones
Red Hat
next prev parent reply other threads:[~2013-11-19 8:50 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-18 20:44 Richard W.M. Jones
2013-11-19 0:08 ` Gerd Stolpmann
2013-11-19 7:53 ` David MENTRE
2013-11-19 8:50 ` Richard W.M. Jones [this message]
2013-11-19 9:14 ` Gabriel Scherer
2013-11-19 11:19 ` Dario Teixeira
2013-11-19 12:55 ` rixed
2013-11-19 22:18 ` Nicolas Braud-Santoni
2013-11-19 22:39 ` Eric Cooper
2013-11-19 22:55 ` Nicolas Braud-Santoni
2013-11-25 13:46 ` Goswin von Brederlow
2013-11-19 22:31 ` Nicolas Braud-Santoni
2013-11-20 18:56 ` Florian Weimer
2013-11-20 21:47 ` Gerd Stolpmann
2013-11-25 13:51 ` Goswin von Brederlow
2013-11-25 14:43 ` Yaron Minsky
2013-11-19 22:15 ` Nicolas Braud-Santoni
2013-11-25 13:38 ` Goswin von Brederlow
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131119085045.GN3162@annexia.org \
--to=rich@annexia.org \
--cc=caml-list@inria.fr \
--cc=dmentre@linux-france.org \
--cc=info@gerd-stolpmann.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).