Crypto collisions cause denial of service in major hashes


Denial of service vulnerabilities have been found in cryptographic systems underpinning host of web applications including those offered by Google, Microsoft, Yahoo and those based on Java among scores of others.

The attacks target weaknesses in the hash algorithms that permit multiple hash collisions to take place. This can quickly overload any application using a vulnerable hash algorithm.

The popular MurmurHash algorithm was found vulnerable to the attacks, along with a hash used by Python, Google's CityHash and likely Microsoft's .Net Marvin32 hash which appeared not to be “built with security in mind”, according to the research trio behind the work.  Problems occurred when hash algorithms did not evenly distribute strings causing link lists to become long and making hash tables slow.