Length extension attack

In cryptography and computer security, a length extension attack is a type of attack where an attacker can use Hash(message1) and the length of message1 to calculate Hash(message1 message2) for an attacker-controlled message2, without needing to know the content of message1. This is problematic when the hash is used as a message authentication code with construction Hash(secretmessage),[1] and message and the length of secret is known, because an attacker can include extra information at the end of the message and produce a valid hash without knowing the secret. Algorithms like MD5, SHA-1 and most of SHA-2 that are based on the Merkle–Damgård construction are susceptible to this kind of attack.[1][2][3] Truncated versions of SHA-2, including SHA-384 and SHA-512/256 are not susceptible,[4] nor is the SHA-3 algorithm.[5] HMAC also uses a different construction and so is not vulnerable to length extension attacks.[6] Lastly, just performing Hash(messagesecret) is enough to not be affected.

  1. ^ a b Vũ, Hoàng (2012-03-30). "MD5 Length Extension Attack Revisited - Vũ's Inner Peace". Archived from the original on 2014-10-29. Retrieved 2017-10-27.
  2. ^ Duong, Thai; Rizzo, Juliano (2009-09-28). "Flickr's API Signature Forgery Vulnerability" (PDF). Retrieved 2023-03-18.
  3. ^ Meyer, Christopher (2012-07-30). "Hash Length Extension Attacks". Retrieved 2017-10-27.
  4. ^ Bostrom, Michael (2015-10-29). "size_t Does Matter: Hash Length Extension Attacks Explained" (PDF). Retrieved 2020-11-23.
  5. ^ Keccak Team. "Strengths of Keccak - Design and security". Retrieved 2017-10-27. Unlike SHA-1 and SHA-2, Keccak does not have the length-extension weakness, hence does not need the HMAC nested construction. Instead, MAC computation can be performed by simply prepending the message with the key.
  6. ^ Lawson, Nate (2009-10-29). "Stop using unsafe keyed hashes, use HMAC". Retrieved 2017-10-27.