

Everything you need to know about hash length extension attacks (2012) - laurent123456
http://www.skullsecurity.org/blog/2012/everything-you-need-to-know-about-hash-length-extension-attacks

======
pointernil
A nice tool to play with and to make ppl see how easily home-grown crypto can
be broken and why those simple hash(secret || data) constructions are not a
replacement for a true HMAC implementation.

Note to self: Again, never ever implement your own crypto. Ever.

~~~
Strilanc
I can easily imagine someone thinking that "crypto" covers the choice of hash
function, but not the prepend-secret-and-hash construction.

(I'm actually not sure how to quantify what is and isn't crypto, in a way
that's easy for a beginner to understand.)

~~~
DenisM
I think I know: _only use as directed_.

Only use a crypto component for the exact purpose that is stated on the tin.
Hash function turns lengthy text into a short unique digest. That's the only
thing you can use it for. If you try to use it for any other purpose, you will
likely screw it up.

~~~
Strilanc
Sure, but you need to then do something with that digest. Store it, compare it
against other digests, etc. Whether or not those actions constitute "crypto"
is hard to determine.

For example, git uses SHA-1 digests as unique identifiers for commits. Isn't
that extending hash functions from _unpredictable digest_ to _identity_? What
happens when someone finally finds a SHA-1 collision? When Linus made that
choice, was he breaking the rule about writing your own crypto?

~~~
DenisM
He was inventing his own crypto. The point is not to avoid design decisions
that reinvent crypto, the point is to recognize that's what you're trying to
do and seek expert help to guide your hand.

------
shin_lao
I thought HashPump could be used for hash length extension attacks.

[https://github.com/bwall/HashPump](https://github.com/bwall/HashPump)

It's a nice post nevertheless and another reason to use HMAC instead of custom
MAC (nota bene: SHA-3 is not vulnerable to this attack).

~~~
mooism2
Could you clarify please: is SHA-3 known to not be vulnerable to this attack,
or merely not known to be vulnerable to this attack?

~~~
ghshephard
Courtesy of tptacek,
[https://news.ycombinator.com/item?id=5776044](https://news.ycombinator.com/item?id=5776044)

"Most are vulnerable to length extension attacks. SHA3 (Ketchup) is not
vulnerable to length extension attacks, because resistance to length extension
was a design criteria for the SHA3 contest."

------
xenonite
Do I get this right: this attack renders suffix-salted passwords public?

~~~
StavrosK
Where did you get that from? You can only extend the hash with this, and get a
valid hash for "original data" || "something".

------
jhasse
I don't understand the following: Why doesn't the server change the length
encoded inside the hash when getting a longer string?

~~~
StavrosK
There's no length encoded inside the hash, where did you see that? Adding the
length in the total hash would probably mitigate this attack, although I'm not
sure it would defeat it.

