ipv6 connection hash function wanted ...
olli at lurza.secnetix.de
Wed Nov 15 13:01:36 UTC 2006
Oliver Fromme wrote:
> Max Laier wrote:
> > David Malone wrote:
> > > Assuming you don't want to use one of the standard cryptographic
> > > ones (which I can imagine being a bit slow for something done
> > > per-packet), then one option might be to use a simpler hash that
> > > is keyed. Choose the key at boot/module load time and make it hard
> > > to produce collisions unless you know the key.
> > That's exactly what I am looking for ... now I need someone[tm] - with
> > better Math-Knowledge than mine - to write such a thing down in a simple
> > formula :-) i.e. take those bits from there and there and XOR them with
> > your canary yada-yada-yada ...
> In that case, simply use crc32 (available from libkern.h)
> and xor with a random key generated at boot time. crc32
> is fast to calculate and has the properties that you need.
Uhm, sorry, after reading that sentence again and thinking
about it, it seems to be misleading.
You have to xor with a random key _first_, and _then_
calculate the crc32 value. If you did it the other way,
the random key would not prevent from collisions at all,
because: same_crc ^ same_key == same_hash. ;-)
Suppose a malicious user is able to create two different
sets of connections parameters (P1 and P2) which have the
same CRC32 value (without using a key):
P1 != P2
crc32(P1) == crc32(P2)
If you xor (or add) the random key K to the parameters,
it will change the outcome of the crc32 calculation in
crc32(P1 ^ K) != crc32(P2 ^ K)
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.
"I made up the term 'object-oriented', and I can tell you
I didn't have C++ in mind."
-- Alan Kay, OOPSLA '97
More information about the freebsd-hackers