If hash functions append the length, why does length extension attack work?Understanding the length extension attackDoes a hash function have a Upper bound on input length?Understanding the length extension attackWill length-extension work if secret is not prefixed but appended to the data?Solve a problem, thought it was hash length extension, hours later, am I wrong?Hash length extension attack - SHA256 to 512 - impossible, correct?How does the Flickr length extension attack work?Is it possible to work out the hash using length extension attack but with different hashes type?Why does SHA-2 call for doing 10* padding in addition to appending the message length?I didn't get the hash length extension attacksUnderstanding double hash and 0 block prepending to mitigate length extension attacksSHA1 padding on length extension attack

Why was Quirrell said to be in the Black Forest if Voldemort was actually in Albania?

Killing a star safely

Cargo capacity of a kayak

You have no, but can try for yes

Adding gears to my grandson's 12" bike

Is it better to deliver many low-value stories or few high-value stories?

My current job follows "worst practices". How can I talk about my experience in an interview without giving off red flags?

Can I use Sitecore's Configuration patching mechanics for my Identity Server configuration?

Did Don Young threaten John Boehner with a 10 inch blade to the throat?

Why can't a country print its own money to spend it only abroad?

Please let me know why 2/16 has a remainder of 2. Thanks

Oriented vector bundle with odd-dimensional fibers

Do I have to mention my main character's age?

Host telling me to cancel my booking in exchange for a discount?

What kind of curve (or model) should I fit to my percentage data?

What do Unicorns want?

Strange LED behavior

Why is DC so, so, so Democratic?

What does a black-and-white Puerto Rican flag signify?

What does a Nintendo Game Boy do when turned on without a game cartridge inserted?

How can I show that the speed of light in vacuum is the same in all reference frames?

Which dice game has a board with 9x9 squares that has different colors on the diagonals and midway on some edges?

If hash functions append the length, why does length extension attack work?

Quickest way to move a line in a text file before another line in a text file?



If hash functions append the length, why does length extension attack work?


Understanding the length extension attackDoes a hash function have a Upper bound on input length?Understanding the length extension attackWill length-extension work if secret is not prefixed but appended to the data?Solve a problem, thought it was hash length extension, hours later, am I wrong?Hash length extension attack - SHA256 to 512 - impossible, correct?How does the Flickr length extension attack work?Is it possible to work out the hash using length extension attack but with different hashes type?Why does SHA-2 call for doing 10* padding in addition to appending the message length?I didn't get the hash length extension attacksUnderstanding double hash and 0 block prepending to mitigate length extension attacksSHA1 padding on length extension attack






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








2












$begingroup$


I have understood that it's trivial to reconstruct the internal state of a hasher for many hash functions, if one only knows the output hash. Then, one can append data after the original data and obtain a valid hash for the original data plus the appended data.



However, recently I became aware that hash functions including MD5, SHA1, etc. actually append the length.



If hash functions append the length, why doesn't that stop the length extension attacks? For a good hash function, if the attacker knows hash(message || length), there should be no way to obtain hash(message) to be able to calculate hash(message || appended_data) which would allow calculating hash(message || appended_data || total_length).










share|improve this question









$endgroup$











  • $begingroup$
    what does hash(message || length) mean?
    $endgroup$
    – Vasu Deo.S
    8 hours ago










  • $begingroup$
    Possible duplicate of Understanding the length extension attack
    $endgroup$
    – forest
    1 hour ago

















2












$begingroup$


I have understood that it's trivial to reconstruct the internal state of a hasher for many hash functions, if one only knows the output hash. Then, one can append data after the original data and obtain a valid hash for the original data plus the appended data.



However, recently I became aware that hash functions including MD5, SHA1, etc. actually append the length.



If hash functions append the length, why doesn't that stop the length extension attacks? For a good hash function, if the attacker knows hash(message || length), there should be no way to obtain hash(message) to be able to calculate hash(message || appended_data) which would allow calculating hash(message || appended_data || total_length).










share|improve this question









$endgroup$











  • $begingroup$
    what does hash(message || length) mean?
    $endgroup$
    – Vasu Deo.S
    8 hours ago










  • $begingroup$
    Possible duplicate of Understanding the length extension attack
    $endgroup$
    – forest
    1 hour ago













2












2








2


1



$begingroup$


I have understood that it's trivial to reconstruct the internal state of a hasher for many hash functions, if one only knows the output hash. Then, one can append data after the original data and obtain a valid hash for the original data plus the appended data.



However, recently I became aware that hash functions including MD5, SHA1, etc. actually append the length.



If hash functions append the length, why doesn't that stop the length extension attacks? For a good hash function, if the attacker knows hash(message || length), there should be no way to obtain hash(message) to be able to calculate hash(message || appended_data) which would allow calculating hash(message || appended_data || total_length).










share|improve this question









$endgroup$




I have understood that it's trivial to reconstruct the internal state of a hasher for many hash functions, if one only knows the output hash. Then, one can append data after the original data and obtain a valid hash for the original data plus the appended data.



However, recently I became aware that hash functions including MD5, SHA1, etc. actually append the length.



If hash functions append the length, why doesn't that stop the length extension attacks? For a good hash function, if the attacker knows hash(message || length), there should be no way to obtain hash(message) to be able to calculate hash(message || appended_data) which would allow calculating hash(message || appended_data || total_length).







hash merkle-damgaard length-extension






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked 10 hours ago









juhistjuhist

5301 gold badge4 silver badges6 bronze badges




5301 gold badge4 silver badges6 bronze badges











  • $begingroup$
    what does hash(message || length) mean?
    $endgroup$
    – Vasu Deo.S
    8 hours ago










  • $begingroup$
    Possible duplicate of Understanding the length extension attack
    $endgroup$
    – forest
    1 hour ago
















  • $begingroup$
    what does hash(message || length) mean?
    $endgroup$
    – Vasu Deo.S
    8 hours ago










  • $begingroup$
    Possible duplicate of Understanding the length extension attack
    $endgroup$
    – forest
    1 hour ago















$begingroup$
what does hash(message || length) mean?
$endgroup$
– Vasu Deo.S
8 hours ago




$begingroup$
what does hash(message || length) mean?
$endgroup$
– Vasu Deo.S
8 hours ago












$begingroup$
Possible duplicate of Understanding the length extension attack
$endgroup$
– forest
1 hour ago




$begingroup$
Possible duplicate of Understanding the length extension attack
$endgroup$
– forest
1 hour ago










1 Answer
1






active

oldest

votes


















6












$begingroup$

Let hash be the raw hash function, as you're referring to. You mentioned that the attacker knows hash(message || length), but to be more precise, they know hash(message || padding || length). Let full_hash be the proper hash with padding and length, i.e. full_hash(message) = hash(message || padding || length).



You're correct that if the attacker knows hash(message || padding || length), then they can't compute hash(message || appended_data).



But they can compute hash(message || padding || length || appended_data || actual_padding || actual_length) which is equal to full_hash(message || padding || length || appended_data), which may be enough for an attack. The inner padding and length become "garbage" which can be ignored depending on the attack scenario.



In order to carry out the attack, start from hash(message || padding || length) (i.e. the original hash), use it as the initial state for the hash, and then feed the remaining data (appended_data || actual_padding || actual_length).






share|improve this answer











$endgroup$








  • 3




    $begingroup$
    You forgot the padding there.
    $endgroup$
    – SEJPM
    9 hours ago










  • $begingroup$
    @SEJPM I'm guessing "length" refers to "MD length padding" in this case.
    $endgroup$
    – forest
    8 hours ago






  • 1




    $begingroup$
    Not convinced, that kind of derivation can only be made if you already know that the plaintext is extended by padding followed by the encoding of the length. Likely only persons that understand length attacks already know that this is the case. I think SEJPM makes a valid point and the answer should be extended or adjusted.
    $endgroup$
    – Maarten Bodewes
    8 hours ago











  • $begingroup$
    I don't think that mentioning padding helps understanding the issue, but I expanded my answer in an attempt to be more precise and clear.
    $endgroup$
    – Conrado
    6 hours ago













Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f72104%2fif-hash-functions-append-the-length-why-does-length-extension-attack-work%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









6












$begingroup$

Let hash be the raw hash function, as you're referring to. You mentioned that the attacker knows hash(message || length), but to be more precise, they know hash(message || padding || length). Let full_hash be the proper hash with padding and length, i.e. full_hash(message) = hash(message || padding || length).



You're correct that if the attacker knows hash(message || padding || length), then they can't compute hash(message || appended_data).



But they can compute hash(message || padding || length || appended_data || actual_padding || actual_length) which is equal to full_hash(message || padding || length || appended_data), which may be enough for an attack. The inner padding and length become "garbage" which can be ignored depending on the attack scenario.



In order to carry out the attack, start from hash(message || padding || length) (i.e. the original hash), use it as the initial state for the hash, and then feed the remaining data (appended_data || actual_padding || actual_length).






share|improve this answer











$endgroup$








  • 3




    $begingroup$
    You forgot the padding there.
    $endgroup$
    – SEJPM
    9 hours ago










  • $begingroup$
    @SEJPM I'm guessing "length" refers to "MD length padding" in this case.
    $endgroup$
    – forest
    8 hours ago






  • 1




    $begingroup$
    Not convinced, that kind of derivation can only be made if you already know that the plaintext is extended by padding followed by the encoding of the length. Likely only persons that understand length attacks already know that this is the case. I think SEJPM makes a valid point and the answer should be extended or adjusted.
    $endgroup$
    – Maarten Bodewes
    8 hours ago











  • $begingroup$
    I don't think that mentioning padding helps understanding the issue, but I expanded my answer in an attempt to be more precise and clear.
    $endgroup$
    – Conrado
    6 hours ago















6












$begingroup$

Let hash be the raw hash function, as you're referring to. You mentioned that the attacker knows hash(message || length), but to be more precise, they know hash(message || padding || length). Let full_hash be the proper hash with padding and length, i.e. full_hash(message) = hash(message || padding || length).



You're correct that if the attacker knows hash(message || padding || length), then they can't compute hash(message || appended_data).



But they can compute hash(message || padding || length || appended_data || actual_padding || actual_length) which is equal to full_hash(message || padding || length || appended_data), which may be enough for an attack. The inner padding and length become "garbage" which can be ignored depending on the attack scenario.



In order to carry out the attack, start from hash(message || padding || length) (i.e. the original hash), use it as the initial state for the hash, and then feed the remaining data (appended_data || actual_padding || actual_length).






share|improve this answer











$endgroup$








  • 3




    $begingroup$
    You forgot the padding there.
    $endgroup$
    – SEJPM
    9 hours ago










  • $begingroup$
    @SEJPM I'm guessing "length" refers to "MD length padding" in this case.
    $endgroup$
    – forest
    8 hours ago






  • 1




    $begingroup$
    Not convinced, that kind of derivation can only be made if you already know that the plaintext is extended by padding followed by the encoding of the length. Likely only persons that understand length attacks already know that this is the case. I think SEJPM makes a valid point and the answer should be extended or adjusted.
    $endgroup$
    – Maarten Bodewes
    8 hours ago











  • $begingroup$
    I don't think that mentioning padding helps understanding the issue, but I expanded my answer in an attempt to be more precise and clear.
    $endgroup$
    – Conrado
    6 hours ago













6












6








6





$begingroup$

Let hash be the raw hash function, as you're referring to. You mentioned that the attacker knows hash(message || length), but to be more precise, they know hash(message || padding || length). Let full_hash be the proper hash with padding and length, i.e. full_hash(message) = hash(message || padding || length).



You're correct that if the attacker knows hash(message || padding || length), then they can't compute hash(message || appended_data).



But they can compute hash(message || padding || length || appended_data || actual_padding || actual_length) which is equal to full_hash(message || padding || length || appended_data), which may be enough for an attack. The inner padding and length become "garbage" which can be ignored depending on the attack scenario.



In order to carry out the attack, start from hash(message || padding || length) (i.e. the original hash), use it as the initial state for the hash, and then feed the remaining data (appended_data || actual_padding || actual_length).






share|improve this answer











$endgroup$



Let hash be the raw hash function, as you're referring to. You mentioned that the attacker knows hash(message || length), but to be more precise, they know hash(message || padding || length). Let full_hash be the proper hash with padding and length, i.e. full_hash(message) = hash(message || padding || length).



You're correct that if the attacker knows hash(message || padding || length), then they can't compute hash(message || appended_data).



But they can compute hash(message || padding || length || appended_data || actual_padding || actual_length) which is equal to full_hash(message || padding || length || appended_data), which may be enough for an attack. The inner padding and length become "garbage" which can be ignored depending on the attack scenario.



In order to carry out the attack, start from hash(message || padding || length) (i.e. the original hash), use it as the initial state for the hash, and then feed the remaining data (appended_data || actual_padding || actual_length).







share|improve this answer














share|improve this answer



share|improve this answer








edited 6 hours ago

























answered 9 hours ago









ConradoConrado

2,93313 silver badges28 bronze badges




2,93313 silver badges28 bronze badges







  • 3




    $begingroup$
    You forgot the padding there.
    $endgroup$
    – SEJPM
    9 hours ago










  • $begingroup$
    @SEJPM I'm guessing "length" refers to "MD length padding" in this case.
    $endgroup$
    – forest
    8 hours ago






  • 1




    $begingroup$
    Not convinced, that kind of derivation can only be made if you already know that the plaintext is extended by padding followed by the encoding of the length. Likely only persons that understand length attacks already know that this is the case. I think SEJPM makes a valid point and the answer should be extended or adjusted.
    $endgroup$
    – Maarten Bodewes
    8 hours ago











  • $begingroup$
    I don't think that mentioning padding helps understanding the issue, but I expanded my answer in an attempt to be more precise and clear.
    $endgroup$
    – Conrado
    6 hours ago












  • 3




    $begingroup$
    You forgot the padding there.
    $endgroup$
    – SEJPM
    9 hours ago










  • $begingroup$
    @SEJPM I'm guessing "length" refers to "MD length padding" in this case.
    $endgroup$
    – forest
    8 hours ago






  • 1




    $begingroup$
    Not convinced, that kind of derivation can only be made if you already know that the plaintext is extended by padding followed by the encoding of the length. Likely only persons that understand length attacks already know that this is the case. I think SEJPM makes a valid point and the answer should be extended or adjusted.
    $endgroup$
    – Maarten Bodewes
    8 hours ago











  • $begingroup$
    I don't think that mentioning padding helps understanding the issue, but I expanded my answer in an attempt to be more precise and clear.
    $endgroup$
    – Conrado
    6 hours ago







3




3




$begingroup$
You forgot the padding there.
$endgroup$
– SEJPM
9 hours ago




$begingroup$
You forgot the padding there.
$endgroup$
– SEJPM
9 hours ago












$begingroup$
@SEJPM I'm guessing "length" refers to "MD length padding" in this case.
$endgroup$
– forest
8 hours ago




$begingroup$
@SEJPM I'm guessing "length" refers to "MD length padding" in this case.
$endgroup$
– forest
8 hours ago




1




1




$begingroup$
Not convinced, that kind of derivation can only be made if you already know that the plaintext is extended by padding followed by the encoding of the length. Likely only persons that understand length attacks already know that this is the case. I think SEJPM makes a valid point and the answer should be extended or adjusted.
$endgroup$
– Maarten Bodewes
8 hours ago





$begingroup$
Not convinced, that kind of derivation can only be made if you already know that the plaintext is extended by padding followed by the encoding of the length. Likely only persons that understand length attacks already know that this is the case. I think SEJPM makes a valid point and the answer should be extended or adjusted.
$endgroup$
– Maarten Bodewes
8 hours ago













$begingroup$
I don't think that mentioning padding helps understanding the issue, but I expanded my answer in an attempt to be more precise and clear.
$endgroup$
– Conrado
6 hours ago




$begingroup$
I don't think that mentioning padding helps understanding the issue, but I expanded my answer in an attempt to be more precise and clear.
$endgroup$
– Conrado
6 hours ago

















draft saved

draft discarded
















































Thanks for contributing an answer to Cryptography Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

Use MathJax to format equations. MathJax reference.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f72104%2fif-hash-functions-append-the-length-why-does-length-extension-attack-work%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

199年 目錄 大件事 到箇年出世嗰人 到箇年死嗰人 節慶、風俗習慣 導覽選單