Menu
I do not understand why Data.HashTable is using Data.Hashable , which has hashWithSalt as the (only/basic) method.
This does not fit with the natural optimization of computing the hash value once, and storing it in the object (natural, because Haskell objects are immutable).
If I want to use HashTables with that, then I'm forced to implement hashWithSalt.
(Going 1.2.0.* to 1.2.1.*, hashable re-introduced hash as a class method, but this does not help?)
The actual Table implementations don't seem to make use of hashWithSalt (HashTable.ST.Linear does not at all, HashTable.ST.Cuckoo uses two fixed salts only).
869
Salt is a cryptographically secure random string that is added to a password before it's hashed, and the salt should be stored with the hash, making it difficult for an attacker to know the original plaintext without having access to both sources.
A cryptographic salt is made up of random bits added to each password instance before its hashing. Salts create unique passwords even in the instance of two users choosing the same passwords. Salts help us mitigate hash table attacks by forcing attackers to re-compute them using the salts for each user.
By adding randomness to the original plaintext password value before hashing, salting ensures that a different hashed value is generated. Salting is an additional layer of security to prevent, or at least minimize, the possibility of password compromise by the following three primary attack vectors.
What is Salting? Salting is a concept that typically pertains to password hashing. Essentially, it's a unique value that can be added to the end of the password to create a different hash value. This adds a layer of security to the hashing process, specifically against brute force attacks.
As Carl notes in the comments, the move to the hashWithSalt method over just hash (as the original Hashable used) was to allow people to mitigate DOS attacks based on hash collisions. For a period, a different random default salt was generated on every run, even, using unsafePerformIO in the background. This lack of reproducibility turned out to be a huge problem, however, for people interested in e.g. persisting data structures across runs, getting reliable benchmarking numbers, etc.
So, the current approach is to provide the method, but tend to defer to a default salt that is fixed, and then add a warning to the documentation that this remains susceptible to various potential DOS attack vectors if used in a public-facing ways. (You can see for yourself in the documentation here: http://hackage.haskell.org/package/hashable-1.2.1.0/docs/Data-Hashable.html)
Because hash is its own class method, it is easy enough to implement an object with a "saltless" hash that is memoed with it, and furthermore, you can implement hashWithSalt as just xoring with the salt if you like. Or, as the comments note, you can implement hashWithSalt via a more legitimate method of hashing your generated/memoed hash.
106
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
