From: "George Spelvin" <linux@horizon.com>
To: herbert@gondor.apana.org.au, linux@horizon.com
Cc: davem@davemloft.net, dborkman@redhat.com,
hannes@stressinduktion.org, linux-kernel@vger.kernel.org,
netdev@vger.kernel.org, tgraf@suug.ch, tytso@mit.edu
Subject: Re: Where exactly will arch_fast_hash be used
Date: 7 Dec 2014 08:23:05 -0500 [thread overview]
Message-ID: <20141207132305.24691.qmail@ns.horizon.com> (raw)
In-Reply-To: <20141207125157.GA9745@gondor.apana.org.au>
>> How does this implicate the low bits specifically?
> If you can easily deduce the pre-images that make the last bit
> of the hash even or odd, then you've just cut your search space
> for collisions by half. The real killer is that you can do this
> without knowing what the secret is.
Um, yes, if you're in a situation where a hash collsion DoS is possible,
a CRC is disastrous choice. You can trivially find collisions for *all*
bits of a CRC. Low or high, they're all equally easy.
When you said
>>>>> Even if security wasn't an issue, straight CRC32 has really poor
>>>>> lower-order bit distribution, which makes it a terrible choice for
>>>>> a hash table that simply uses the lower-order bits.
This is talking about:
- Non-malicious inputs,where security isn't an issue, and
- Low-order bits specifically, implying that the high-order bits are different.
*That's* the claim I'm curious about. I know perfectly well that if
security *is* an issue, a fixed-polynomial CRC is a disaser.
But for non-malicious inputs, like normal software identifiers, a CRC
actually works very well.
If you want to do secure hashing with a CRC, you need to have a secret
*polynomial*. That *is* provably secure (it's a universal family of hash
functions), but isn't provided by x86 unless you use SSE and PCLMUL.
That's why it's a non-cryptographic hash, suitable for non-malicious
inputs only. That's the same security claim as many other common hash
functions.
> Our entire scheme is dependent on using the secret to defeat
> would-be attackers. If CRC does not make effective use of the
> secret, then we're essentially naked against attackers.
Okay, I'm confused. *What* scheme? The arch_fast_hash interface doesn't
have any provision for a secret. Because there's no point to having one;
you can't change the polynomial, and anything additive has just moves
collisions around without reducing them.
So there are plenty of hash tables in Linux that you don't dare use this
with. In fact, so many that, as you rightly point out, it's not clear
if it's worth providing this special optimization for the few remaining.
next prev parent reply other threads:[~2014-12-07 13:23 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-07 5:20 Where exactly will arch_fast_hash be used George Spelvin
2014-12-07 9:28 ` Herbert Xu
2014-12-07 10:02 ` George Spelvin
2014-12-07 12:51 ` Herbert Xu
2014-12-07 13:23 ` George Spelvin [this message]
2014-12-07 14:06 ` Hannes Frederic Sowa
2014-12-07 21:33 ` George Spelvin
2014-12-08 11:25 ` Hannes Frederic Sowa
2014-12-08 16:19 ` George Spelvin
2014-12-08 16:32 ` Hannes Frederic Sowa
2014-12-09 14:24 ` Herbert Xu
2014-12-07 13:14 ` Hannes Frederic Sowa
2014-12-07 13:30 ` George Spelvin
2014-12-07 13:41 ` Hannes Frederic Sowa
2014-12-07 13:52 ` Hannes Frederic Sowa
-- strict thread matches above, loose matches on Subject: below --
2014-12-04 8:11 Herbert Xu
2014-12-04 12:34 ` Hannes Frederic Sowa
2014-12-04 13:14 ` Daniel Borkmann
2014-12-04 15:26 ` Thomas Graf
2014-12-04 15:29 ` Herbert Xu
2014-12-04 15:39 ` Thomas Graf
2014-12-04 15:43 ` Daniel Borkmann
2014-12-04 15:47 ` Herbert Xu
2014-12-04 15:51 ` Daniel Borkmann
2014-12-04 15:56 ` David Laight
2014-12-04 16:10 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141207132305.24691.qmail@ns.horizon.com \
--to=linux@horizon.com \
--cc=davem@davemloft.net \
--cc=dborkman@redhat.com \
--cc=hannes@stressinduktion.org \
--cc=herbert@gondor.apana.org.au \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=tgraf@suug.ch \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).