Length extension attack

In cryptography and computer security, a length extension attack is a type of attack where an attacker can use Hash(message₁) and the length of message₁ to calculate Hash(message₁ ‖ message₂) for an attacker-controlled message₂, without needing to know the content of message₁. This is problematic when the hash is used as a message authentication code with construction Hash(secret ‖ message),^[1] and message and the length of secret is known, because an attacker can include extra information at the end of the message and produce a valid hash without knowing the secret. Algorithms like MD5, SHA-1 and most of SHA-2 that are based on the Merkle–Damgård construction are susceptible to this kind of attack.^[1]^[2]^[3] Truncated versions of SHA-2, including SHA-384 and SHA-512/256 are not susceptible,^[4] nor is the SHA-3 algorithm.^[5] HMAC also uses a different construction and so is not vulnerable to length extension attacks.^[6] Lastly, just performing Hash(message ‖ secret) is enough to not be affected.^{[citation needed]}

^ ^a ^b Vũ, Hoàng (2012-03-30). "MD5 Length Extension Attack Revisited - Vũ's Inner Peace". Archived from the original on 2014-10-29. Retrieved 2017-10-27.
^ Duong, Thai; Rizzo, Juliano (2009-09-28). "Flickr's API Signature Forgery Vulnerability" (PDF). Retrieved 2023-03-18.
^ Meyer, Christopher (2012-07-30). "Hash Length Extension Attacks". Retrieved 2017-10-27.
^ Bostrom, Michael (2015-10-29). "size_t Does Matter: Hash Length Extension Attacks Explained" (PDF). Retrieved 2020-11-23.
^ Keccak Team. "Strengths of Keccak - Design and security". Retrieved 2017-10-27. Unlike SHA-1 and SHA-2, Keccak does not have the length-extension weakness, hence does not need the HMAC nested construction. Instead, MAC computation can be performed by simply prepending the message with the key.
^ Lawson, Nate (2009-10-29). "Stop using unsafe keyed hashes, use HMAC". Retrieved 2017-10-27.

[vudang-1] Vũ, Hoàng (2012-03-30). "MD5 Length Extension Attack Revisited - Vũ's Inner Peace". Archived from the original on 2014-10-29. Retrieved 2017-10-27.

[2] Duong, Thai; Rizzo, Juliano (2009-09-28). "Flickr's API Signature Forgery Vulnerability" (PDF). Retrieved 2023-03-18.

[3] Meyer, Christopher (2012-07-30). "Hash Length Extension Attacks". Retrieved 2017-10-27.

[4] Bostrom, Michael (2015-10-29). "size_t Does Matter: Hash Length Extension Attacks Explained" (PDF). Retrieved 2020-11-23.

[5] Keccak Team. "Strengths of Keccak - Design and security". Retrieved 2017-10-27. Unlike SHA-1 and SHA-2, Keccak does not have the length-extension weakness, hence does not need the HMAC nested construction. Instead, MAC computation can be performed by simply prepending the message with the key.

[6] Lawson, Nate (2009-10-29). "Stop using unsafe keyed hashes, use HMAC". Retrieved 2017-10-27.

[1]

[2]

[3]

[4]

[5]

[6]

Length extension attack

From Wikipedia, the free encyclopedia · View on Wikipedia