A hash extension attack exploits a vulnerability in certain cryptographic hash functions when used in certain ways, particularly when used for constructing Message Authentication Code (MAC) or Digital Signature without proper precautions. It takes advantage of the way many hash functions (like MD5, SHA-1, and SHA-256) process input in block-by-block manner.
How hash extension attack works
Before understand a hash extension attack, it is essential to know how cryptographic hash functions typically work (see Hash function). A hash function using the chaining process, which each hash block mixes the previous output (previous hash value) as initialisation vector (IV) for the next hash iteration, a hash extension attack can proceed as follow: The attacker knows the message and its hash value , which the is the result of the internal state after processing all blocks of . The attacker can now add an additional block to the chaining process:
- Append new data
- In the new block the attacker appends new data to the original message and its padding.
- The previous internal state which is the original hash value will be used as the IV for the new block.
- Calculate hash
- The hash value is re-calculated with the newly added block, the result of the new hash value will be considered valid.
Attack prevention
- HMAC
- HMAC is designed to prevent length extension attacks and provide cryptographic integrity.
- HMAC uses a secret key along with the message to compute the hash, double hashing is used to apply the hash function twice using and where both hash stages requires a secret key, without having secret key, the attacker cannot add additional hash block.
- The intermediate state (inner hash) incorporates the key in a way that’s not exposed. An attacker who sees the final HMAC cannot deduce the inner hash directly, as it’s hashed again with the key and outer pad.
Back to parent page: Network Security and Cryptography