If hash functions append the length, why does length extension attack work?Understanding the length extension attackDoes a hash function have a Upper bound on input length?Understanding the length extension attackWill length-extension work if secret is not prefixed but appended to the data?Solve a problem, thought it was hash length extension, hours later, am I wrong?Hash length extension attack - SHA256 to 512 - impossible, correct?How does the Flickr length extension attack work?Is it possible to work out the hash using length extension attack but with different hashes type?Why does SHA-2 call for doing 10* padding in addition to appending the message length?I didn't get the hash length extension attacksUnderstanding double hash and 0 block prepending to mitigate length extension attacksSHA1 padding on length extension attack
Why was Quirrell said to be in the Black Forest if Voldemort was actually in Albania?
Killing a star safely
Cargo capacity of a kayak
You have no, but can try for yes
Adding gears to my grandson's 12" bike
Is it better to deliver many low-value stories or few high-value stories?
My current job follows "worst practices". How can I talk about my experience in an interview without giving off red flags?
Can I use Sitecore's Configuration patching mechanics for my Identity Server configuration?
Did Don Young threaten John Boehner with a 10 inch blade to the throat?
Why can't a country print its own money to spend it only abroad?
Please let me know why 2/16 has a remainder of 2. Thanks
Oriented vector bundle with odd-dimensional fibers
Do I have to mention my main character's age?
Host telling me to cancel my booking in exchange for a discount?
What kind of curve (or model) should I fit to my percentage data?
What do Unicorns want?
Strange LED behavior
Why is DC so, so, so Democratic?
What does a black-and-white Puerto Rican flag signify?
What does a Nintendo Game Boy do when turned on without a game cartridge inserted?
How can I show that the speed of light in vacuum is the same in all reference frames?
Which dice game has a board with 9x9 squares that has different colors on the diagonals and midway on some edges?
If hash functions append the length, why does length extension attack work?
Quickest way to move a line in a text file before another line in a text file?
If hash functions append the length, why does length extension attack work?
Understanding the length extension attackDoes a hash function have a Upper bound on input length?Understanding the length extension attackWill length-extension work if secret is not prefixed but appended to the data?Solve a problem, thought it was hash length extension, hours later, am I wrong?Hash length extension attack - SHA256 to 512 - impossible, correct?How does the Flickr length extension attack work?Is it possible to work out the hash using length extension attack but with different hashes type?Why does SHA-2 call for doing 10* padding in addition to appending the message length?I didn't get the hash length extension attacksUnderstanding double hash and 0 block prepending to mitigate length extension attacksSHA1 padding on length extension attack
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
$begingroup$
I have understood that it's trivial to reconstruct the internal state of a hasher for many hash functions, if one only knows the output hash. Then, one can append data after the original data and obtain a valid hash for the original data plus the appended data.
However, recently I became aware that hash functions including MD5, SHA1, etc. actually append the length.
If hash functions append the length, why doesn't that stop the length extension attacks? For a good hash function, if the attacker knows hash(message || length), there should be no way to obtain hash(message) to be able to calculate hash(message || appended_data) which would allow calculating hash(message || appended_data || total_length).
hash merkle-damgaard length-extension
asked 10 hours ago
juhistjuhist
5301 gold badge4 silver badges6 bronze badges
$endgroup$
add a comment |
$begingroup$
I have understood that it's trivial to reconstruct the internal state of a hasher for many hash functions, if one only knows the output hash. Then, one can append data after the original data and obtain a valid hash for the original data plus the appended data.
However, recently I became aware that hash functions including MD5, SHA1, etc. actually append the length.
If hash functions append the length, why doesn't that stop the length extension attacks? For a good hash function, if the attacker knows hash(message || length), there should be no way to obtain hash(message) to be able to calculate hash(message || appended_data) which would allow calculating hash(message || appended_data || total_length).
hash merkle-damgaard length-extension
asked 10 hours ago
juhistjuhist
5301 gold badge4 silver badges6 bronze badges
$endgroup$
$begingroup$
what doeshash(message || length)mean?
$endgroup$
– Vasu Deo.S
8 hours ago
$begingroup$
Possible duplicate of Understanding the length extension attack
$endgroup$
– forest
1 hour ago
add a comment |
$begingroup$
I have understood that it's trivial to reconstruct the internal state of a hasher for many hash functions, if one only knows the output hash. Then, one can append data after the original data and obtain a valid hash for the original data plus the appended data.
However, recently I became aware that hash functions including MD5, SHA1, etc. actually append the length.
If hash functions append the length, why doesn't that stop the length extension attacks? For a good hash function, if the attacker knows hash(message || length), there should be no way to obtain hash(message) to be able to calculate hash(message || appended_data) which would allow calculating hash(message || appended_data || total_length).
hash merkle-damgaard length-extension
asked 10 hours ago
juhistjuhist
5301 gold badge4 silver badges6 bronze badges
$endgroup$
I have understood that it's trivial to reconstruct the internal state of a hasher for many hash functions, if one only knows the output hash. Then, one can append data after the original data and obtain a valid hash for the original data plus the appended data.
However, recently I became aware that hash functions including MD5, SHA1, etc. actually append the length.
If hash functions append the length, why doesn't that stop the length extension attacks? For a good hash function, if the attacker knows hash(message || length), there should be no way to obtain hash(message) to be able to calculate hash(message || appended_data) which would allow calculating hash(message || appended_data || total_length).
hash merkle-damgaard length-extension
hash merkle-damgaard length-extension
asked 10 hours ago
juhistjuhist
5301 gold badge4 silver badges6 bronze badges
asked 10 hours ago
juhistjuhist
5301 gold badge4 silver badges6 bronze badges
asked 10 hours ago
juhistjuhist
5301 gold badge4 silver badges6 bronze badges
asked 10 hours ago
juhistjuhist
5301 gold badge4 silver badges6 bronze badges
asked 10 hours ago
juhistjuhist
5301 gold badge4 silver badges6 bronze badges
5301 gold badge4 silver badges6 bronze badges
$begingroup$
what doeshash(message || length)mean?
$endgroup$
– Vasu Deo.S
8 hours ago
$begingroup$
Possible duplicate of Understanding the length extension attack
$endgroup$
– forest
1 hour ago
add a comment |
$begingroup$
what doeshash(message || length)mean?
$endgroup$
– Vasu Deo.S
8 hours ago
$begingroup$
Possible duplicate of Understanding the length extension attack
$endgroup$
– forest
1 hour ago
$begingroup$
what does
hash(message || length) mean?$endgroup$
– Vasu Deo.S
8 hours ago
$begingroup$
what does
hash(message || length) mean?$endgroup$
– Vasu Deo.S
8 hours ago
$begingroup$
Possible duplicate of Understanding the length extension attack
$endgroup$
– forest
1 hour ago
$begingroup$
Possible duplicate of Understanding the length extension attack
$endgroup$
– forest
1 hour ago
add a comment |
1 Answer
1
active
oldest
votes
$begingroup$
Let hash be the raw hash function, as you're referring to. You mentioned that the attacker knows hash(message || length), but to be more precise, they know hash(message || padding || length). Let full_hash be the proper hash with padding and length, i.e. full_hash(message) = hash(message || padding || length).
You're correct that if the attacker knows hash(message || padding || length), then they can't compute hash(message || appended_data).
But they can compute hash(message || padding || length || appended_data || actual_padding || actual_length) which is equal to full_hash(message || padding || length || appended_data), which may be enough for an attack. The inner padding and length become "garbage" which can be ignored depending on the attack scenario.
In order to carry out the attack, start from hash(message || padding || length) (i.e. the original hash), use it as the initial state for the hash, and then feed the remaining data (appended_data || actual_padding || actual_length).
answered 9 hours ago
ConradoConrado
2,93313 silver badges28 bronze badges
$endgroup$
3
$begingroup$
You forgot the padding there.
$endgroup$
– SEJPM♦
9 hours ago
$begingroup$
@SEJPM I'm guessing "length" refers to "MD length padding" in this case.
$endgroup$
– forest
8 hours ago
1
$begingroup$
Not convinced, that kind of derivation can only be made if you already know that the plaintext is extended by padding followed by the encoding of the length. Likely only persons that understand length attacks already know that this is the case. I think SEJPM makes a valid point and the answer should be extended or adjusted.
$endgroup$
– Maarten Bodewes♦
8 hours ago
$begingroup$
I don't think that mentioning padding helps understanding the issue, but I expanded my answer in an attempt to be more precise and clear.
$endgroup$
– Conrado
6 hours ago
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f72104%2fif-hash-functions-append-the-length-why-does-length-extension-attack-work%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
Let hash be the raw hash function, as you're referring to. You mentioned that the attacker knows hash(message || length), but to be more precise, they know hash(message || padding || length). Let full_hash be the proper hash with padding and length, i.e. full_hash(message) = hash(message || padding || length).
You're correct that if the attacker knows hash(message || padding || length), then they can't compute hash(message || appended_data).
But they can compute hash(message || padding || length || appended_data || actual_padding || actual_length) which is equal to full_hash(message || padding || length || appended_data), which may be enough for an attack. The inner padding and length become "garbage" which can be ignored depending on the attack scenario.
In order to carry out the attack, start from hash(message || padding || length) (i.e. the original hash), use it as the initial state for the hash, and then feed the remaining data (appended_data || actual_padding || actual_length).
answered 9 hours ago
ConradoConrado
2,93313 silver badges28 bronze badges
$endgroup$
3
$begingroup$
You forgot the padding there.
$endgroup$
– SEJPM♦
9 hours ago
$begingroup$
@SEJPM I'm guessing "length" refers to "MD length padding" in this case.
$endgroup$
– forest
8 hours ago
1
$begingroup$
Not convinced, that kind of derivation can only be made if you already know that the plaintext is extended by padding followed by the encoding of the length. Likely only persons that understand length attacks already know that this is the case. I think SEJPM makes a valid point and the answer should be extended or adjusted.
$endgroup$
– Maarten Bodewes♦
8 hours ago
$begingroup$
I don't think that mentioning padding helps understanding the issue, but I expanded my answer in an attempt to be more precise and clear.
$endgroup$
– Conrado
6 hours ago
add a comment |
$begingroup$
Let hash be the raw hash function, as you're referring to. You mentioned that the attacker knows hash(message || length), but to be more precise, they know hash(message || padding || length). Let full_hash be the proper hash with padding and length, i.e. full_hash(message) = hash(message || padding || length).
You're correct that if the attacker knows hash(message || padding || length), then they can't compute hash(message || appended_data).
But they can compute hash(message || padding || length || appended_data || actual_padding || actual_length) which is equal to full_hash(message || padding || length || appended_data), which may be enough for an attack. The inner padding and length become "garbage" which can be ignored depending on the attack scenario.
In order to carry out the attack, start from hash(message || padding || length) (i.e. the original hash), use it as the initial state for the hash, and then feed the remaining data (appended_data || actual_padding || actual_length).
answered 9 hours ago
ConradoConrado
2,93313 silver badges28 bronze badges
$endgroup$
3
$begingroup$
You forgot the padding there.
$endgroup$
– SEJPM♦
9 hours ago
$begingroup$
@SEJPM I'm guessing "length" refers to "MD length padding" in this case.
$endgroup$
– forest
8 hours ago
1
$begingroup$
Not convinced, that kind of derivation can only be made if you already know that the plaintext is extended by padding followed by the encoding of the length. Likely only persons that understand length attacks already know that this is the case. I think SEJPM makes a valid point and the answer should be extended or adjusted.
$endgroup$
– Maarten Bodewes♦
8 hours ago
$begingroup$
I don't think that mentioning padding helps understanding the issue, but I expanded my answer in an attempt to be more precise and clear.
$endgroup$
– Conrado
6 hours ago
add a comment |
$begingroup$
Let hash be the raw hash function, as you're referring to. You mentioned that the attacker knows hash(message || length), but to be more precise, they know hash(message || padding || length). Let full_hash be the proper hash with padding and length, i.e. full_hash(message) = hash(message || padding || length).
You're correct that if the attacker knows hash(message || padding || length), then they can't compute hash(message || appended_data).
But they can compute hash(message || padding || length || appended_data || actual_padding || actual_length) which is equal to full_hash(message || padding || length || appended_data), which may be enough for an attack. The inner padding and length become "garbage" which can be ignored depending on the attack scenario.
In order to carry out the attack, start from hash(message || padding || length) (i.e. the original hash), use it as the initial state for the hash, and then feed the remaining data (appended_data || actual_padding || actual_length).
answered 9 hours ago
ConradoConrado
2,93313 silver badges28 bronze badges
$endgroup$
Let hash be the raw hash function, as you're referring to. You mentioned that the attacker knows hash(message || length), but to be more precise, they know hash(message || padding || length). Let full_hash be the proper hash with padding and length, i.e. full_hash(message) = hash(message || padding || length).
You're correct that if the attacker knows hash(message || padding || length), then they can't compute hash(message || appended_data).
But they can compute hash(message || padding || length || appended_data || actual_padding || actual_length) which is equal to full_hash(message || padding || length || appended_data), which may be enough for an attack. The inner padding and length become "garbage" which can be ignored depending on the attack scenario.
In order to carry out the attack, start from hash(message || padding || length) (i.e. the original hash), use it as the initial state for the hash, and then feed the remaining data (appended_data || actual_padding || actual_length).
answered 9 hours ago
ConradoConrado
2,93313 silver badges28 bronze badges
edited 6 hours ago
answered 9 hours ago
ConradoConrado
2,93313 silver badges28 bronze badges
answered 9 hours ago
ConradoConrado
2,93313 silver badges28 bronze badges
answered 9 hours ago
ConradoConrado
2,93313 silver badges28 bronze badges
2,93313 silver badges28 bronze badges
3
$begingroup$
You forgot the padding there.
$endgroup$
– SEJPM♦
9 hours ago
$begingroup$
@SEJPM I'm guessing "length" refers to "MD length padding" in this case.
$endgroup$
– forest
8 hours ago
1
$begingroup$
Not convinced, that kind of derivation can only be made if you already know that the plaintext is extended by padding followed by the encoding of the length. Likely only persons that understand length attacks already know that this is the case. I think SEJPM makes a valid point and the answer should be extended or adjusted.
$endgroup$
– Maarten Bodewes♦
8 hours ago
$begingroup$
I don't think that mentioning padding helps understanding the issue, but I expanded my answer in an attempt to be more precise and clear.
$endgroup$
– Conrado
6 hours ago
add a comment |
3
$begingroup$
You forgot the padding there.
$endgroup$
– SEJPM♦
9 hours ago
$begingroup$
@SEJPM I'm guessing "length" refers to "MD length padding" in this case.
$endgroup$
– forest
8 hours ago
1
$begingroup$
Not convinced, that kind of derivation can only be made if you already know that the plaintext is extended by padding followed by the encoding of the length. Likely only persons that understand length attacks already know that this is the case. I think SEJPM makes a valid point and the answer should be extended or adjusted.
$endgroup$
– Maarten Bodewes♦
8 hours ago
$begingroup$
I don't think that mentioning padding helps understanding the issue, but I expanded my answer in an attempt to be more precise and clear.
$endgroup$
– Conrado
6 hours ago
3
3
$begingroup$
You forgot the padding there.
$endgroup$
– SEJPM♦
9 hours ago
$begingroup$
You forgot the padding there.
$endgroup$
– SEJPM♦
9 hours ago
$begingroup$
@SEJPM I'm guessing "length" refers to "MD length padding" in this case.
$endgroup$
– forest
8 hours ago
$begingroup$
@SEJPM I'm guessing "length" refers to "MD length padding" in this case.
$endgroup$
– forest
8 hours ago
1
1
$begingroup$
Not convinced, that kind of derivation can only be made if you already know that the plaintext is extended by padding followed by the encoding of the length. Likely only persons that understand length attacks already know that this is the case. I think SEJPM makes a valid point and the answer should be extended or adjusted.
$endgroup$
– Maarten Bodewes♦
8 hours ago
$begingroup$
Not convinced, that kind of derivation can only be made if you already know that the plaintext is extended by padding followed by the encoding of the length. Likely only persons that understand length attacks already know that this is the case. I think SEJPM makes a valid point and the answer should be extended or adjusted.
$endgroup$
– Maarten Bodewes♦
8 hours ago
$begingroup$
I don't think that mentioning padding helps understanding the issue, but I expanded my answer in an attempt to be more precise and clear.
$endgroup$
– Conrado
6 hours ago
$begingroup$
I don't think that mentioning padding helps understanding the issue, but I expanded my answer in an attempt to be more precise and clear.
$endgroup$
– Conrado
6 hours ago
add a comment |
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f72104%2fif-hash-functions-append-the-length-why-does-length-extension-attack-work%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
$begingroup$
what does
hash(message || length)mean?$endgroup$
– Vasu Deo.S
8 hours ago
$begingroup$
Possible duplicate of Understanding the length extension attack
$endgroup$
– forest
1 hour ago