From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Original-To: caml-list@sympa.inria.fr Delivered-To: caml-list@sympa.inria.fr Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83]) by sympa.inria.fr (Postfix) with ESMTPS id 316BC7EE25 for ; Tue, 19 Nov 2013 09:50:52 +0100 (CET) Received-SPF: None (mail2-smtp-roc.national.inria.fr: no sender authenticity information available from domain of rich@annexia.org) identity=pra; client-ip=80.68.91.176; receiver=mail2-smtp-roc.national.inria.fr; envelope-from="rich@annexia.org"; x-sender="rich@annexia.org"; x-conformance=sidf_compatible Received-SPF: Pass (mail2-smtp-roc.national.inria.fr: domain of rich@annexia.org designates 80.68.91.176 as permitted sender) identity=mailfrom; client-ip=80.68.91.176; receiver=mail2-smtp-roc.national.inria.fr; envelope-from="rich@annexia.org"; x-sender="rich@annexia.org"; x-conformance=sidf_compatible; x-record-type="v=spf1" Received-SPF: None (mail2-smtp-roc.national.inria.fr: no sender authenticity information available from domain of postmaster@furbychan.cocan.org) identity=helo; client-ip=80.68.91.176; receiver=mail2-smtp-roc.national.inria.fr; envelope-from="rich@annexia.org"; x-sender="postmaster@furbychan.cocan.org"; x-conformance=sidf_compatible X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AhoFAFkli1JQRFuw/2dsb2JhbABZgweDLb0agRwWdIIlAQEFOj8QCxgJExIPBSghE4gFAcIYF4YQiUcHhDEDliiBZ5IOgyg8 X-IPAS-Result: AhoFAFkli1JQRFuw/2dsb2JhbABZgweDLb0agRwWdIIlAQEFOj8QCxgJExIPBSghE4gFAcIYF4YQiUcHhDEDliiBZ5IOgyg8 X-IronPort-AV: E=Sophos;i="4.93,728,1378850400"; d="scan'208";a="43707189" Received: from furbychan.cocan.org ([80.68.91.176]) by mail2-smtp-roc.national.inria.fr with ESMTP/TLS/DHE-RSA-AES128-SHA; 19 Nov 2013 09:50:50 +0100 Received: from rich by furbychan.cocan.org with local (Exim 4.80) (envelope-from ) id 1Vih1B-00053V-Mj; Tue, 19 Nov 2013 08:50:45 +0000 Date: Tue, 19 Nov 2013 08:50:45 +0000 From: "Richard W.M. Jones" To: David MENTRE Cc: Gerd Stolpmann , caml users Message-ID: <20131119085045.GN3162@annexia.org> References: <20131118204426.GA14731@annexia.org> <1384819720.4083.57.camel@zotac> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Subject: Re: [Caml-list] Hardening [Perl's] hash function further On Tue, Nov 19, 2013 at 08:53:23AM +0100, David MENTRE wrote: > Hello, > > 2013/11/19 Gerd Stolpmann : > > This article is more or less discussing cryptoattacks on an insecure > > hash function, and the new versions of the functions are only "better" > > but in no way safe (which you only get with crypto hashes or > > dictionaries that don't allow collisions). > > Which in turn raises the question: Who has the responsibility to > implement such hashes that can be exposed to the Internet: OCaml > standard library or dedicated frameworks like OCamlNet or Ocsigen? In > other words, shouldn't we keep simple hashes in the OCaml standard > library (for people making regular programs) and let people making web > applications chose the proper crypto hash in a specialized library? In Perl, the hash is a fundamental structure. It has the same position of importance as the linked list has in functional languages[1]. Perl doesn't have structs (it uses hashes), it doesn't have associative arrays (hashes instead), nor objects (hashes again). In other words it'd be very difficult to write a non-trivial Perl application that didn't depend on the hash implementation of the Perl interpreter. OCaml is different in that Map/Hashtbl are not fundamental to writing programs. You can write respectable programs without needing to use those modules at all. So I think it's probably the job of the web frameworks to keep an eye on this and perhaps implement cryptographically strong hash tables (as well as taking many other steps to mitigate attacks). Rich. [1] The one time I wrote an OCaml program which spectacularly blew up in production, it was because I was using an assoc list which managed to expand to 10000's of entries. -- Richard Jones Red Hat