Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:79915 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 45157 invoked from network); 24 Dec 2014 09:29:57 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 24 Dec 2014 09:29:57 -0000 Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.51 as permitted sender) X-PHP-List-Original-Sender: pierre.php@gmail.com X-Host-Fingerprint: 209.85.192.51 mail-qg0-f51.google.com Received: from [209.85.192.51] ([209.85.192.51:34262] helo=mail-qg0-f51.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 73/10-44085-5978A945 for ; Wed, 24 Dec 2014 04:29:57 -0500 Received: by mail-qg0-f51.google.com with SMTP id i50so5477196qgf.24 for ; Wed, 24 Dec 2014 01:29:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=uRvyNzpRdw8BU+G47zrauaHI/EDwQvSLnadTxDa3AL8=; b=BcS9iRXYfqs65CyjMS6eBH0b36KCzhyKQVZakpk+5lA31cahn0V4waLZhfvrBeg6UK UBclDuBKj/76qaruZb7sm25CzJmZep4+4THhVf8xYYQdC7FquYGVvByNasT0OVh5B8t3 1pG8QpsYPkt4+n1J0DkOgwfxtBB57rZYUkltjXjilTjr1cKywGU4NmO6XOVb4JLPWOlj Sz5Tp3bFL8PeqTjuXGTTj6Hns+V5WI/Kwssp2Myg9GAQnDQGUd/OVC+zkI6EWw0qOCT4 vKyb7YFi0URathMmLWe3H5z1R2JJjBxkjE4DZ42DKlooWDiLrU5KVDguo06uetBd6AIT IrVw== MIME-Version: 1.0 X-Received: by 10.140.43.52 with SMTP id d49mr50722758qga.94.1419413394994; Wed, 24 Dec 2014 01:29:54 -0800 (PST) Received: by 10.140.22.106 with HTTP; Wed, 24 Dec 2014 01:29:54 -0800 (PST) In-Reply-To: References: <09B14273-C621-4AB9-9129-A149A9480A03@ajf.me> Date: Wed, 24 Dec 2014 20:29:54 +1100 Message-ID: To: Yasuo Ohgaki Cc: Andrea Faulds , PHP internals , Scott Arciszewski Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] JSON HASHDOS From: pierre.php@gmail.com (Pierre Joye) hi, On Wed, Dec 24, 2014 at 7:37 PM, Yasuo Ohgaki wrote: > Hi Pierre, > > On Wed, Dec 24, 2014 at 4:23 PM, Pierre Joye wrote: >> >> Please keep in mind that this problem is: >> >> . not json specific >> . not specific at runtime but could also happen before a script get the >> hand >> >> A randomized hash only postpone the issue but won't solve it. >> >> I fear that a fix is way more work that what we may think. A discussion is >> going on security, let hope to get something in a reasonable time. I also >> wonder what we could provide right now to at least prevent script kiddies >> attacks during this holiday season.. > > I only read Zend code on occasion, so it might not be feasible. > > Anyway, when collision happens, Engine detects collision. > Limited number of collision should happen under normal circumstances. > Simply limiting number of collisions for a specific hash bucket would > prevent DoS. The limit may be INI setting, so that users may set higher > limit when they need. > > We may use more secure hash like half MD4 or CityHash (I'm not sure if > CityHash is secure enough, though), but it would be much slower than now. > > Limiting number of collision would be the best solution. We never worry > about > intensional collision attack again. I do not see how it solves the problem. It only reduces it, slightly. Having a couple of medium instances generating crafted requests will just have the same effect. So far the more realistic suggestions are about having collision safe implementation, not implementation with limited collisions. > P.S. Did we decide to have 64 bit array keys? 64 bit array key is much more > stronger against collisions. I would not say "much stronger", slightly stronger, but as long as the same implementation is used, it does not really solve anything on this area. -- Pierre @pierrejoye | http://www.libgd.org