In cryptography and computer security, a length extension attack is a type of attack where an attacker can use Hash(message1) and the length of message1 to calculate Hash(message1 ‖ message2) for an attacker-controlled message2, without needing to know the content of message1. This is problematic when the hash is used as a message authentication code with construction Hash(secret ‖ message),[1] and message and the length of secret is known, because an attacker can include extra information at the end of the message and produce a valid hash without knowing the secret. Algorithms like MD5, SHA-1 and most of SHA-2 that are based on the Merkle–Damgård construction are susceptible to this kind of attack.[1][2][3] Truncated versions of SHA-2, including SHA-384 and SHA-512/256 are not susceptible,[4] nor is the SHA-3 algorithm.[5]
HMAC also uses a different construction and so is not vulnerable to length extension attacks.[6]
^ abVũ, Hoàng (2012-03-30). "MD5 Length Extension Attack Revisited - Vũ's Inner Peace". Archived from the original on 2014-10-29. Retrieved 2017-10-27.
^Meyer, Christopher (2012-07-30). "Hash Length Extension Attacks". Retrieved 2017-10-27.
^Bostrom, Michael (2015-10-29). "size_t Does Matter: Hash Length Extension Attacks Explained" (PDF). Retrieved 2020-11-23.
^Keccak Team. "Strengths of Keccak - Design and security". Retrieved 2017-10-27. Unlike SHA-1 and SHA-2, Keccak does not have the length-extension weakness, hence does not need the HMAC nested construction. Instead, MAC computation can be performed by simply prepending the message with the key.
^Lawson, Nate (2009-10-29). "Stop using unsafe keyed hashes, use HMAC". Retrieved 2017-10-27.
and 20 Related for: Length extension attack information
valid MAC ("length-extensionattack"). The alternative, appending the key using MAC = H(message ∥ key), suffers from the problem that an attacker who can...
discouraged due to the ease of collision attacks. MD5 processes a variable-length message into a fixed-length output of 128 bits. The input message is...
birthday attack is a bruteforce collision attack that exploits the mathematics behind the birthday problem in probability theory. This attack can be used...
sliding computational cost, used to reduce vulnerability to brute-force attacks. PBKDF2 is part of RSA Laboratories' Public-Key Cryptography Standards...
the hash function being exposed to attacks including collision attacks, lengthextensionattacks, and preimage attacks. Constructing a cipher or hash to...
functions are vulnerable to length-extensionattacks: given hash(m) and len(m) but not m, by choosing a suitable m′ an attacker can calculate hash(m ∥ m′)...
change the signed document's content. An extension of the collision attack is the chosen-prefix collision attack, which is specific to Merkle–Damgård hash...
preimage attack on cryptographic hash functions tries to find a message that has a specific hash value. A cryptographic hash function should resist attacks on...
values make precomputation attacks against these systems infeasible for almost any length of a password. Even if the attacker could generate a million tables...
For the purposes of determining how vulnerable RadioGatún is to lengthextensionattacks, only two words of its 58-word state are output between hash compression...
second-preimage attack in which an attacker creates a document other than the original that has the same Merkle hash root. For the example above, an attacker can...
derived from a hash function which takes a data input and returns a fixed length of bits. Although hash algorithms have been created with the intent of being...
in 1999. Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over time, the iteration count can be...
Digest access authentication was originally specified by RFC 2069 (An Extension to HTTP: Digest Access Authentication). RFC 2069 specifies roughly a traditional...
Arch Linux. The function is more resistant to offline password-cracking attacks than SHA-512. It is based on Scrypt. Lyra2 Password Hashing Competition...
MD5 hash function with a secret prefix, making it vulnerable to lengthextensionattacks. It also provided no protection for either the opening handshake...