Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [length-extension]

A length extension attack on a hash or message authentication code function, which allows extra information to be added to the input message without changing the output value.

Length extension attacks are attacks on hash and message authentication code (MAC) functions that allow extra information to be added (typically appended) to the input message without invalidating the resulting hash/MAC value.

Hash functions created using an unmodified Merkle–Damgård construction, including MD5, SHA1, SHA256 and SHA512 are vulnerable to length extension, as is CBC-MAC.

Merkle–Damgård based hash functions that truncate the internal state (such as SHA224 and SHA384), the HMAC construction, and newer hash function designs such as SHA-3/Keccak, and the SHA-3 competition finalists Skein and Blake are not vulnerable to length extension.

See the wikipedia page for more information.

66 questions
61
votes
2 answers

Understanding the length extension attack

I have been trying to understand exactly how a length extension attack works on SHA-1. I'll detail below what I've understood so far so that I can convey my understanding of the same and hopefully get advice on where I'm going wrong. Let's assume…
user114
42
votes
4 answers

Purpose of outer key in HMAC

From what I know, the HMAC constructions has two strength: It's resistant to length extensions Since the key is consumed before the message, the attacker does not know the initial state, preventing simple collision attacks. But the simple…
CodesInChaos
  • 25,121
  • 2
  • 90
  • 129
16
votes
2 answers

In which situations is a length-extension attack a problem?

A lot of hash functions, including the SHA-2 family(but not the SHA-3 candidates and SHA256d) are vulnerable to length extension attacks. But when is this property a problem? I guess certain naive MAC implementations might have issues. Are there…
CodesInChaos
  • 25,121
  • 2
  • 90
  • 129
15
votes
1 answer

How does the secret key in an HMAC prevent modification of the HMAC?

Just as a preface: I'm not implementing a HMAC - I just want to understand it, as it is part of of my Computer Science course. When using Hash-based message authentication codes, I understand that you need to protect the front and back of the MAC to…
user11184
12
votes
1 answer

Why is H(message||secret_key) not vulnerable to length-extension attack?

Given a Merkle-Damgård hash function $H$, I know that an attacker can forge a message protected by a MAC computed as $H(\textrm{secret_key}||\textrm{message})$. Why can't he perform the same extension attack on a MAC construction…
Peter
  • 123
  • 1
  • 4
12
votes
1 answer

Why isn't outputting only a portion of the hash state a simple defense against length extension attacks?

As I understand length extension attacks, they depend on the coincidental property of most cryptographic hash functions that the hash value is exactly the hash function state after hashing the last block of data. This enables an attacker to…
sehrgut
  • 223
  • 1
  • 8
7
votes
2 answers

If hash functions append the length, why does length extension attack work?

I have understood that it's trivial to reconstruct the internal state of a hasher for many hash functions, if one only knows the output hash. Then, one can append data after the original data and obtain a valid hash for the original data plus the…
juhist
  • 1,643
  • 1
  • 13
  • 18
6
votes
1 answer

md5: is reverse length-extension attack possible?

If I know H = md5( SECRET_KEY | DATA ) then I can calculate H' = md5( SECRET_KEY | DATA | DATA' ) That's length-extension attack. But is the opposite possible? E.g. if I know H = md5( SECRET_KEY | DATA ) can I find H'' = md5( SECRET_KEY ) where…
Max Selivanov
  • 61
  • 2
5
votes
2 answers

Encrypting messages without revealing length?

In various messengers, we have end-to-end encryption, making it hard to know what the message said. But do these messengers have to pad the message to some maximum length every time, in order to hide the length of the message? In a block cipher,…
Gregory Magarshak
  • 435
  • 3
  • 13
5
votes
1 answer

Is Blake2b vulnerable to length extension attacks?

There are very few resources for Blake2b apart from the official documentation and website. I would like to know if Blake2b is not vulnerable to length extension attacks unlike SHA2. I would like your help as soon as possible.
Hinton Zsh
  • 361
  • 3
  • 10
5
votes
1 answer

Does length-prepending stop length-extension attacks?

Does length-prepending stop length-extension attacks on Merkle-Damgård hash functions, assuming that the length is checked?
Demi
  • 4,853
  • 1
  • 22
  • 40
5
votes
2 answers

Is a random length-extension worth the effort?

I'm conceiving an application that uses cryptographic tools and concepts for securing data. I know that's difficult and risky, therefore I prefer to ask around before implementing anything. When using generic length-extension for hash functions,…
Berzemus
  • 175
  • 5
4
votes
3 answers

Is it possible to fake any file's SHA-256 checksum with a length extension attack?

Can a fake SHA-256 checksum be created trivially for any file by attacker after padding some data after original file i.e. using length extension attack? E.g: Alice creates fake linux installation ISO file using length extension attack by padding…
nlzzl1m
  • 41
  • 1
  • 2
4
votes
2 answers

The length extension attack and security on length shortening of a hashed message by one byte

MD5, SHA1, SHA2 are vulnerable to length extension attacks Wikipedia:Length extension attack. Could is also be possible to generate $H(\text{message}[1..n-1])$ from $H(\text{message}[1..n])$ if I know the last byte? It's essentially the same…
benjamin-lieser
  • 151
  • 8
4
votes
1 answer

Is length extension attack considered as collision?

I came across a few articles about length extension attacks on cryptographic hash functions. I was very surprised to read that SHA-256 and SHA-512 are prone to length extension attacks. This seems contradictory to the fact that—to the best of my…
DurandA
  • 453
  • 5
  • 22
1
2 3 4 5