If hash functions append the length, why does length extension attack work?Understanding the length extension...
Is it ethical to tell my teaching assistant that I like him?
Can I use Sitecore's Configuration patching mechanics for my Identity Server configuration?
My guitar strings go loose when I tighten them?
Do I care if the housing market has gone up or down, if I'm moving from one house to another?
Quickest way to move a line in a text file before another line in a text file?
Does Mathematica 12 support GT 730 CUDA?
Why is DC so, so, so Democratic?
Considerations when providing money to only one child out of two
Source for "everyone has a specific area of Torah that they're naturally drawn to"
How can I disable a reserved profile?
How old is the Italian word "malandrino"?
Strange LED behavior
What would be the effects of (relatively) widespread precognition on the stock market?
Why do we need an estimator to be consistent?
Is it better to deliver many low-value stories or few high-value stories?
Is it better to merge "often" or only after completion do a big merge of feature branches?
What does a Nintendo Game Boy do when turned on without a game cartridge inserted?
You have no, but can try for yes
Pass USB 3.0 connection through D-SUB connector
How to handle not being able to attend as often as I'd like
Create Circle with Inner Radius
Piece of fabric in planter, how to use it?
MITM on HTTPS traffic in Kazakhstan 2019
Why are the phonemes of Tutankhamun's throne name transliterated out of order?
If hash functions append the length, why does length extension attack work?
Understanding the length extension attackDoes a hash function have a Upper bound on input length?Understanding the length extension attackWill length-extension work if secret is not prefixed but appended to the data?Solve a problem, thought it was hash length extension, hours later, am I wrong?Hash length extension attack - SHA256 to 512 - impossible, correct?How does the Flickr length extension attack work?Is it possible to work out the hash using length extension attack but with different hashes type?Why does SHA-2 call for doing 10* padding in addition to appending the message length?I didn't get the hash length extension attacksUnderstanding double hash and 0 block prepending to mitigate length extension attacksSHA1 padding on length extension attack
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
$begingroup$
I have understood that it's trivial to reconstruct the internal state of a hasher for many hash functions, if one only knows the output hash. Then, one can append data after the original data and obtain a valid hash for the original data plus the appended data.
However, recently I became aware that hash functions including MD5, SHA1, etc. actually append the length.
If hash functions append the length, why doesn't that stop the length extension attacks? For a good hash function, if the attacker knows hash(message || length), there should be no way to obtain hash(message) to be able to calculate hash(message || appended_data) which would allow calculating hash(message || appended_data || total_length).
hash merkle-damgaard length-extension
asked 8 hours ago
juhistjuhist
5301 gold badge4 silver badges6 bronze badges
$endgroup$
add a comment |
$begingroup$
I have understood that it's trivial to reconstruct the internal state of a hasher for many hash functions, if one only knows the output hash. Then, one can append data after the original data and obtain a valid hash for the original data plus the appended data.
However, recently I became aware that hash functions including MD5, SHA1, etc. actually append the length.
If hash functions append the length, why doesn't that stop the length extension attacks? For a good hash function, if the attacker knows hash(message || length), there should be no way to obtain hash(message) to be able to calculate hash(message || appended_data) which would allow calculating hash(message || appended_data || total_length).
hash merkle-damgaard length-extension
asked 8 hours ago
juhistjuhist
5301 gold badge4 silver badges6 bronze badges
$endgroup$
$begingroup$
what doeshash(message || length)mean?
$endgroup$
– Vasu Deo.S
7 hours ago
$begingroup$
Possible duplicate of Understanding the length extension attack
$endgroup$
– forest
13 mins ago
add a comment |
$begingroup$
I have understood that it's trivial to reconstruct the internal state of a hasher for many hash functions, if one only knows the output hash. Then, one can append data after the original data and obtain a valid hash for the original data plus the appended data.
However, recently I became aware that hash functions including MD5, SHA1, etc. actually append the length.
If hash functions append the length, why doesn't that stop the length extension attacks? For a good hash function, if the attacker knows hash(message || length), there should be no way to obtain hash(message) to be able to calculate hash(message || appended_data) which would allow calculating hash(message || appended_data || total_length).
hash merkle-damgaard length-extension
asked 8 hours ago
juhistjuhist
5301 gold badge4 silver badges6 bronze badges
$endgroup$
I have understood that it's trivial to reconstruct the internal state of a hasher for many hash functions, if one only knows the output hash. Then, one can append data after the original data and obtain a valid hash for the original data plus the appended data.
However, recently I became aware that hash functions including MD5, SHA1, etc. actually append the length.
If hash functions append the length, why doesn't that stop the length extension attacks? For a good hash function, if the attacker knows hash(message || length), there should be no way to obtain hash(message) to be able to calculate hash(message || appended_data) which would allow calculating hash(message || appended_data || total_length).
hash merkle-damgaard length-extension
hash merkle-damgaard length-extension
asked 8 hours ago
juhistjuhist
5301 gold badge4 silver badges6 bronze badges
asked 8 hours ago
juhistjuhist
5301 gold badge4 silver badges6 bronze badges
asked 8 hours ago
juhistjuhist
5301 gold badge4 silver badges6 bronze badges
asked 8 hours ago
juhistjuhist
5301 gold badge4 silver badges6 bronze badges
asked 8 hours ago
juhistjuhist
5301 gold badge4 silver badges6 bronze badges
5301 gold badge4 silver badges6 bronze badges
$begingroup$
what doeshash(message || length)mean?
$endgroup$
– Vasu Deo.S
7 hours ago
$begingroup$
Possible duplicate of Understanding the length extension attack
$endgroup$
– forest
13 mins ago
add a comment |
$begingroup$
what doeshash(message || length)mean?
$endgroup$
– Vasu Deo.S
7 hours ago
$begingroup$
Possible duplicate of Understanding the length extension attack
$endgroup$
– forest
13 mins ago
$begingroup$
what does
hash(message || length) mean?$endgroup$
– Vasu Deo.S
7 hours ago
$begingroup$
what does
hash(message || length) mean?$endgroup$
– Vasu Deo.S
7 hours ago
$begingroup$
Possible duplicate of Understanding the length extension attack
$endgroup$
– forest
13 mins ago
$begingroup$
Possible duplicate of Understanding the length extension attack
$endgroup$
– forest
13 mins ago
add a comment |
1 Answer
1
active
oldest
votes
$begingroup$
Let hash be the raw hash function, as you're referring to. You mentioned that the attacker knows hash(message || length), but to be more precise, they know hash(message || padding || length). Let full_hash be the proper hash with padding and length, i.e. full_hash(message) = hash(message || padding || length).
You're correct that if the attacker knows hash(message || padding || length), then they can't compute hash(message || appended_data).
But they can compute hash(message || padding || length || appended_data || actual_padding || actual_length) which is equal to full_hash(message || padding || length || appended_data), which may be enough for an attack. The inner padding and length become "garbage" which can be ignored depending on the attack scenario.
In order to carry out the attack, start from hash(message || padding || length) (i.e. the original hash), use it as the initial state for the hash, and then feed the remaining data (appended_data || actual_padding || actual_length).
answered 8 hours ago
ConradoConrado
2,93313 silver badges28 bronze badges
$endgroup$
3
$begingroup$
You forgot the padding there.
$endgroup$
– SEJPM♦
8 hours ago
$begingroup$
@SEJPM I'm guessing "length" refers to "MD length padding" in this case.
$endgroup$
– forest
7 hours ago
1
$begingroup$
Not convinced, that kind of derivation can only be made if you already know that the plaintext is extended by padding followed by the encoding of the length. Likely only persons that understand length attacks already know that this is the case. I think SEJPM makes a valid point and the answer should be extended or adjusted.
$endgroup$
– Maarten Bodewes♦
6 hours ago
$begingroup$
I don't think that mentioning padding helps understanding the issue, but I expanded my answer in an attempt to be more precise and clear.
$endgroup$
– Conrado
5 hours ago
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "281"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f72104%2fif-hash-functions-append-the-length-why-does-length-extension-attack-work%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
Let hash be the raw hash function, as you're referring to. You mentioned that the attacker knows hash(message || length), but to be more precise, they know hash(message || padding || length). Let full_hash be the proper hash with padding and length, i.e. full_hash(message) = hash(message || padding || length).
You're correct that if the attacker knows hash(message || padding || length), then they can't compute hash(message || appended_data).
But they can compute hash(message || padding || length || appended_data || actual_padding || actual_length) which is equal to full_hash(message || padding || length || appended_data), which may be enough for an attack. The inner padding and length become "garbage" which can be ignored depending on the attack scenario.
In order to carry out the attack, start from hash(message || padding || length) (i.e. the original hash), use it as the initial state for the hash, and then feed the remaining data (appended_data || actual_padding || actual_length).
answered 8 hours ago
ConradoConrado
2,93313 silver badges28 bronze badges
$endgroup$
3
$begingroup$
You forgot the padding there.
$endgroup$
– SEJPM♦
8 hours ago
$begingroup$
@SEJPM I'm guessing "length" refers to "MD length padding" in this case.
$endgroup$
– forest
7 hours ago
1
$begingroup$
Not convinced, that kind of derivation can only be made if you already know that the plaintext is extended by padding followed by the encoding of the length. Likely only persons that understand length attacks already know that this is the case. I think SEJPM makes a valid point and the answer should be extended or adjusted.
$endgroup$
– Maarten Bodewes♦
6 hours ago
$begingroup$
I don't think that mentioning padding helps understanding the issue, but I expanded my answer in an attempt to be more precise and clear.
$endgroup$
– Conrado
5 hours ago
add a comment |
$begingroup$
Let hash be the raw hash function, as you're referring to. You mentioned that the attacker knows hash(message || length), but to be more precise, they know hash(message || padding || length). Let full_hash be the proper hash with padding and length, i.e. full_hash(message) = hash(message || padding || length).
You're correct that if the attacker knows hash(message || padding || length), then they can't compute hash(message || appended_data).
But they can compute hash(message || padding || length || appended_data || actual_padding || actual_length) which is equal to full_hash(message || padding || length || appended_data), which may be enough for an attack. The inner padding and length become "garbage" which can be ignored depending on the attack scenario.
In order to carry out the attack, start from hash(message || padding || length) (i.e. the original hash), use it as the initial state for the hash, and then feed the remaining data (appended_data || actual_padding || actual_length).
answered 8 hours ago
ConradoConrado
2,93313 silver badges28 bronze badges
$endgroup$
3
$begingroup$
You forgot the padding there.
$endgroup$
– SEJPM♦
8 hours ago
$begingroup$
@SEJPM I'm guessing "length" refers to "MD length padding" in this case.
$endgroup$
– forest
7 hours ago
1
$begingroup$
Not convinced, that kind of derivation can only be made if you already know that the plaintext is extended by padding followed by the encoding of the length. Likely only persons that understand length attacks already know that this is the case. I think SEJPM makes a valid point and the answer should be extended or adjusted.
$endgroup$
– Maarten Bodewes♦
6 hours ago
$begingroup$
I don't think that mentioning padding helps understanding the issue, but I expanded my answer in an attempt to be more precise and clear.
$endgroup$
– Conrado
5 hours ago
add a comment |
$begingroup$
Let hash be the raw hash function, as you're referring to. You mentioned that the attacker knows hash(message || length), but to be more precise, they know hash(message || padding || length). Let full_hash be the proper hash with padding and length, i.e. full_hash(message) = hash(message || padding || length).
You're correct that if the attacker knows hash(message || padding || length), then they can't compute hash(message || appended_data).
But they can compute hash(message || padding || length || appended_data || actual_padding || actual_length) which is equal to full_hash(message || padding || length || appended_data), which may be enough for an attack. The inner padding and length become "garbage" which can be ignored depending on the attack scenario.
In order to carry out the attack, start from hash(message || padding || length) (i.e. the original hash), use it as the initial state for the hash, and then feed the remaining data (appended_data || actual_padding || actual_length).
answered 8 hours ago
ConradoConrado
2,93313 silver badges28 bronze badges
$endgroup$
Let hash be the raw hash function, as you're referring to. You mentioned that the attacker knows hash(message || length), but to be more precise, they know hash(message || padding || length). Let full_hash be the proper hash with padding and length, i.e. full_hash(message) = hash(message || padding || length).
You're correct that if the attacker knows hash(message || padding || length), then they can't compute hash(message || appended_data).
But they can compute hash(message || padding || length || appended_data || actual_padding || actual_length) which is equal to full_hash(message || padding || length || appended_data), which may be enough for an attack. The inner padding and length become "garbage" which can be ignored depending on the attack scenario.
In order to carry out the attack, start from hash(message || padding || length) (i.e. the original hash), use it as the initial state for the hash, and then feed the remaining data (appended_data || actual_padding || actual_length).
answered 8 hours ago
ConradoConrado
2,93313 silver badges28 bronze badges
edited 5 hours ago
answered 8 hours ago
ConradoConrado
2,93313 silver badges28 bronze badges
answered 8 hours ago
ConradoConrado
2,93313 silver badges28 bronze badges
answered 8 hours ago
ConradoConrado
2,93313 silver badges28 bronze badges
2,93313 silver badges28 bronze badges
3
$begingroup$
You forgot the padding there.
$endgroup$
– SEJPM♦
8 hours ago
$begingroup$
@SEJPM I'm guessing "length" refers to "MD length padding" in this case.
$endgroup$
– forest
7 hours ago
1
$begingroup$
Not convinced, that kind of derivation can only be made if you already know that the plaintext is extended by padding followed by the encoding of the length. Likely only persons that understand length attacks already know that this is the case. I think SEJPM makes a valid point and the answer should be extended or adjusted.
$endgroup$
– Maarten Bodewes♦
6 hours ago
$begingroup$
I don't think that mentioning padding helps understanding the issue, but I expanded my answer in an attempt to be more precise and clear.
$endgroup$
– Conrado
5 hours ago
add a comment |
3
$begingroup$
You forgot the padding there.
$endgroup$
– SEJPM♦
8 hours ago
$begingroup$
@SEJPM I'm guessing "length" refers to "MD length padding" in this case.
$endgroup$
– forest
7 hours ago
1
$begingroup$
Not convinced, that kind of derivation can only be made if you already know that the plaintext is extended by padding followed by the encoding of the length. Likely only persons that understand length attacks already know that this is the case. I think SEJPM makes a valid point and the answer should be extended or adjusted.
$endgroup$
– Maarten Bodewes♦
6 hours ago
$begingroup$
I don't think that mentioning padding helps understanding the issue, but I expanded my answer in an attempt to be more precise and clear.
$endgroup$
– Conrado
5 hours ago
3
3
$begingroup$
You forgot the padding there.
$endgroup$
– SEJPM♦
8 hours ago
$begingroup$
You forgot the padding there.
$endgroup$
– SEJPM♦
8 hours ago
$begingroup$
@SEJPM I'm guessing "length" refers to "MD length padding" in this case.
$endgroup$
– forest
7 hours ago
$begingroup$
@SEJPM I'm guessing "length" refers to "MD length padding" in this case.
$endgroup$
– forest
7 hours ago
1
1
$begingroup$
Not convinced, that kind of derivation can only be made if you already know that the plaintext is extended by padding followed by the encoding of the length. Likely only persons that understand length attacks already know that this is the case. I think SEJPM makes a valid point and the answer should be extended or adjusted.
$endgroup$
– Maarten Bodewes♦
6 hours ago
$begingroup$
Not convinced, that kind of derivation can only be made if you already know that the plaintext is extended by padding followed by the encoding of the length. Likely only persons that understand length attacks already know that this is the case. I think SEJPM makes a valid point and the answer should be extended or adjusted.
$endgroup$
– Maarten Bodewes♦
6 hours ago
$begingroup$
I don't think that mentioning padding helps understanding the issue, but I expanded my answer in an attempt to be more precise and clear.
$endgroup$
– Conrado
5 hours ago
$begingroup$
I don't think that mentioning padding helps understanding the issue, but I expanded my answer in an attempt to be more precise and clear.
$endgroup$
– Conrado
5 hours ago
add a comment |
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f72104%2fif-hash-functions-append-the-length-why-does-length-extension-attack-work%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
$begingroup$
what does
hash(message || length)mean?$endgroup$
– Vasu Deo.S
7 hours ago
$begingroup$
Possible duplicate of Understanding the length extension attack
$endgroup$
– forest
13 mins ago