JS
Uploaded byJerome Smith
PPTX, PDF7,612 views

Hash length extension attacks

The document discusses hash length extension attacks, detailing how they exploit vulnerabilities in hash algorithms like MD5 and SHA-1 by allowing an attacker to append additional data to a message without knowing the secret prefix. It explains the mechanics of the attack, including how an attacker can construct valid inputs to achieve a valid hash for altered messages. The final thoughts emphasize the potential high impact of such vulnerabilities and suggest that while attacks can be challenging to execute, they remain a serious security concern.

Embed presentation

Downloaded 42 times
Hash Length Extension Attacks Jerome Smith CamSec April 2017
Introduction • An application uses this scheme as an integrity check: hash($secret + $message) // where + denotes concatenation • Whenever the message is potentially subject to interference, the hash is sent alongside • The theory goes that any message tampering will be detected • But this is potentially vulnerable to a “hash length extension attack” • Secret prefix • Attacker knows message and hash • Vulnerable algorithm, e.g. MD5, SHA-1, SHA-256, SHA-512 (not SHA-384) • Thanks to Soroush Dalili @irsdl
What makes a hash vulnerable? • The hash algorithm chews on the input • At the end, the internal state of the hash algorithm is the hash it spits out • We can set the internal state of the hash algorithm to start from this point • We can then feed in more input • We now have a hash for a longer message that starts with the original input • It doesn’t matter if the input began with a secret, we don’t need to know it
Exploitation • Sounds great, doesn’t it? POST /transfer HTTP/1.1 account_from=10203040&account_to=90807060&amount=100&hash=AABBCC112233 // where hash = MD5("SECERET1020304090807060100") • So we set our MD5 state to AABBCC112233, feed in a 0 and get a new hash • This will “validate”: account_from=10203040&account_to=90807060&amount=1000&hash=DDEEFF445566 // where hash = MD5("SECERET10203040908070601000") • Unfortunately it’s not that simple
Deep dive • MD5 is a block-based algorithm • Padding is used to prepare the input before it’s digested • Different algorithms use different schemes • Take a message M • The input that MD5 works on is: M + PADDING + LENGTH_OF_M • This will be some whole number of blocks in length • What does that mean for our attack?
What’s really going on account_from=10203040&account_to=90807060&amount=1000&hash=DDEEFF445566 • We’d like hash = MD5("SECERET10203040908070601000") • When we run our hash length extension attack, the input to the hash is really: "SECERET1020304090807060100" + PADDING + LENGTH + "0" + PADDING + LENGTH • The “message” we have a valid hash for is: "SECERET1020304090807060100" + PADDING + LENGTH + "0" • The app is checking hash($secret + $account_from + $account_to + $amount) • We need to preserve account_from=10203040&account_to=90807060 • So that leaves amount="100" + PADDING + LENGTH + "0" • The first PADDING + LENGTH was originally “metadata”: it’s now part of the data • The crafted input isn’t tolerated in context
Demo • That’s not to say it can never work seller_id=1234&reference=widget&amount=145.20&hash=75b145717ad82cfefdcd74 0683e182f0 // where hash = MD5($secret + $seller_id + $reference + $amount) = MD5($secret + "1234widget145.20") = MD5($secret + "1234widget145.20" + PADDING + LENGTH) • So what about seller_id=1234&reference=widget145.20PADDINGLENGTH&amount=0.99&hash=398e6 d69a7fdf27744bd55cfdfc9fdb4 = MD5($secret + "1234widget145.20" + PADDING + LENGTH + "0.99") • This will work if the app accepts the weird reference value • https://github.com/iagox86/hash_extender ./hash_extender --data 1234widget145.20 --secret-min 8 --secret-max 12 -- append 0.99 --signature 75b145717ad82cfefdcd740683e182f0 --format md5
Final Thoughts • Not always exploitable – but when it is, impact can be high • Tricky to find in a pure black box test • If the hash scheme used a delimiter, the attack would still work • Just makes it harder to find – need to know delimiter as well • But it would stop a simpler attack: seller_id=1234&reference=widget&amount=145.20&hash=75b145717ad82cfefdcd 740683e182f0 seller_id=1234&reference=widget1&amount=45.20&hash=75b145717ad82cfefdcd 740683e182f0 • Secret suffix is vulnerable due to collisions • https://rdist.root.org/2009/10/29/stop-using-unsafe-keyed-hashes-use-hmac/ • We’ve already solved the MAC problem • “Length Extension Attacks” Burp App – not tested
9 Questions?

More Related Content

PPTX
Transaction Processing in DBMS.pptx
byLovely Professional University
 
PPTX
Memory management in operating system | Paging | Virtual memory
byShivam Mitra
 
DOCX
Multiversion Concurrency Control Techniques
byRaj vardhan
 
PDF
Entity Relationship (ER) Model Questions
byMohd Tousif
 
PDF
Algorithm Design and Analysis
bySayed Chhattan Shah
 
PDF
Compiler unit 1
byBBDITM LUCKNOW
 
DOCX
Algorithm for Recovery and Isolation Exploiting Semantics (ARIES)
byPMAshokKumar
 
PDF
Dynamic Semantics
byEelco Visser
 
Transaction Processing in DBMS.pptx
byLovely Professional University
 
Memory management in operating system | Paging | Virtual memory
byShivam Mitra
 
Multiversion Concurrency Control Techniques
byRaj vardhan
 
Entity Relationship (ER) Model Questions
byMohd Tousif
 
Algorithm Design and Analysis
bySayed Chhattan Shah
 
Compiler unit 1
byBBDITM LUCKNOW
 
Algorithm for Recovery and Isolation Exploiting Semantics (ARIES)
byPMAshokKumar
 
Dynamic Semantics
byEelco Visser
 

What's hot

PPTX
Acid properties
byNomitaKumawat
 
PPTX
Bootstrapping in Compiler
byAkhil Kaushik
 
PDF
Backpatching in Compiler Construction
byMuhammad Haroon
 
PPTX
Operating system 29 non preemptive scheduling
byVaibhav Khanna
 
PDF
OS scheduling and The anatomy of a context switch
byDaniel Ben-Zvi
 
PDF
Kafka to the Maxka - (Kafka Performance Tuning)
byDataWorks Summit
 
PDF
HBase
byPooja Sunkapur
 
PPTX
Lexical Analyzer Implementation
byAkhil Kaushik
 
PPT
Process of operating system
byInternational Center for Chemical & Biological Sciences
 
PPTX
Transaction and serializability
byYogita Jain
 
PPT
Object Oriented Database Management System
byAjay Jha
 
PPTX
Os unit 3 , process management
byArnav Chowdhury
 
PPTX
Closure properties
byDr. ABHISHEK K PANDEY
 
PPTX
Shift reduce parser
byTEJVEER SINGH
 
PPT
basics of compiler design
byPreeti Katiyar
 
ODP
Apache hadoop hbase
bysheetal sharma
 
PPTX
Introduction to Sharding
byMongoDB
 
PPTX
Hadoop Architecture
byDr. C.V. Suresh Babu
 
PPTX
Process state in OS
byKhushboo Jain
 
PPT
Cache memory and cache
byVISHAL DONGA
 
Acid properties
byNomitaKumawat
 
Bootstrapping in Compiler
byAkhil Kaushik
 
Backpatching in Compiler Construction
byMuhammad Haroon
 
Operating system 29 non preemptive scheduling
byVaibhav Khanna
 
OS scheduling and The anatomy of a context switch
byDaniel Ben-Zvi
 
Kafka to the Maxka - (Kafka Performance Tuning)
byDataWorks Summit
 
HBase
byPooja Sunkapur
 
Lexical Analyzer Implementation
byAkhil Kaushik
 
Process of operating system
byInternational Center for Chemical & Biological Sciences
 
Transaction and serializability
byYogita Jain
 
Object Oriented Database Management System
byAjay Jha
 
Os unit 3 , process management
byArnav Chowdhury
 
Closure properties
byDr. ABHISHEK K PANDEY
 
Shift reduce parser
byTEJVEER SINGH
 
basics of compiler design
byPreeti Katiyar
 
Apache hadoop hbase
bysheetal sharma
 
Introduction to Sharding
byMongoDB
 
Hadoop Architecture
byDr. C.V. Suresh Babu
 
Process state in OS
byKhushboo Jain
 
Cache memory and cache
byVISHAL DONGA
 

Similar to Hash length extension attacks

PPTX
Message Digest message digest ppttsx.pptx
byLaxmipujaBiradar
 
PDF
Md5
byannamalai
 
PDF
Applied cryptanalysis - everything else
byVlad Garbuz
 
PDF
CNIT 141: 6. Hash Functions
bySam Bowne
 
PDF
CNIT 141 6. Hash Functions
bySam Bowne
 
PDF
CNIT 141: 6. Hash Functions
bySam Bowne
 
DOCX
Compliance collisions-misconceptions
byRichard Bocchinfuso
 
PDF
Mj2521372142
byIJERA Editor
 
PDF
When Crypto Attacks! (Yahoo 2009)
byNate Lawson
 
PDF
MD5.pptx.pdf
byPrateekKarkera1
 
PDF
Encryption: It's For More Than Just Passwords
byJohn Congdon
 
PPTX
Unit 4 HASH FUNCTION for cryptographyandcybersecurity.pptx
byTamilSelvi165
 
PDF
0xdec0de01 crypto CTF solutions
byVlad Garbuz
 
PPTX
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...
byHackIT Ukraine
 
PDF
The slower the stronger a story of password hash migration
byOWASP
 
PDF
Crypto Strikes Back! (Google 2009)
byNate Lawson
 
PDF
Public Key Encryption & Hash functions
byDr.Florence Dayana
 
PDF
IRJET - Hash Functions and its Security for Snags
byIRJET Journal
 
PPT
An Introduction to Hashing: A basic understanding
byprabhatv1
 
PDF
Web Crypto
bykarlvr
 
Message Digest message digest ppttsx.pptx
byLaxmipujaBiradar
 
Md5
byannamalai
 
Applied cryptanalysis - everything else
byVlad Garbuz
 
CNIT 141: 6. Hash Functions
bySam Bowne
 
CNIT 141 6. Hash Functions
bySam Bowne
 
CNIT 141: 6. Hash Functions
bySam Bowne
 
Compliance collisions-misconceptions
byRichard Bocchinfuso
 
Mj2521372142
byIJERA Editor
 
When Crypto Attacks! (Yahoo 2009)
byNate Lawson
 
MD5.pptx.pdf
byPrateekKarkera1
 
Encryption: It's For More Than Just Passwords
byJohn Congdon
 
Unit 4 HASH FUNCTION for cryptographyandcybersecurity.pptx
byTamilSelvi165
 
0xdec0de01 crypto CTF solutions
byVlad Garbuz
 
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...
byHackIT Ukraine
 
The slower the stronger a story of password hash migration
byOWASP
 
Crypto Strikes Back! (Google 2009)
byNate Lawson
 
Public Key Encryption & Hash functions
byDr.Florence Dayana
 
IRJET - Hash Functions and its Security for Snags
byIRJET Journal
 
An Introduction to Hashing: A basic understanding
byprabhatv1
 
Web Crypto
bykarlvr
 

Recently uploaded

PDF
Building Software in the AI Era: Spec-Driven Development with Kiro IDE
byHaim Michael
 
PDF
Chapter 2 Computer Threat .pdf
byGetnet Tigabie Askale -(GM)
 
PPTX
JAVA Programming Lecture 1 C 4 Yourself.pptx
byyvsbglfaeahuyldzhq
 
PDF
6 Insights from the Patron Saint of AI Failure
byScott M. Graffius
 
PPTX
How Blockchain Application Development Enables Trustless Digital Ecosystems.pptx
byLisa ward
 
PDF
JR : Quality Random Data from the Command line
byGiovanni Marigi
 
PDF
Mobile Onboarding UX 11 Best Practices for Retention (2026).pdf
byDesign Studio UI UX
 
PDF
Saga: The new era of transactions in a microservices architecture
byGiovanni Marigi
 
PDF
65 AI-related Posts Catalog https://tinyurl.com/mpavkr8z
byBob Marcus
 
PDF
A "Kill Switch" (Emergency Off Switch) for AI?
byScott M. Graffius
 
PPTX
UNIT 1- Introduction to Basic of Computer Fundamentals
bypawarbhaktiit
 
PDF
Josh Chu Boston - An Innovative Technology Executive
byJosh Chu Boston
 
PDF
Digital Transformation Services The Key to Futureproofing Your Business
byQuadrafort Technolgies
 
PDF
Generating Structured Outputs from Unstructured Content Using LLMs
byEnterprise Knowledge
 
PPTX
Lecture 04. about Black heads and Hackerss.pptx
byvinocol222
 
PDF
Early Signs of Constraint Loss in Modern System Design
byReality Drift Archive
 
PDF
Effective Ai powered mock interview .pdf
byamazingnishusingh766
 
PDF
Purple Team - Active Directory and AzureAD v1
byVICTOR MAESTRE RAMIREZ
 
PPTX
Software Tools for penetration Testing (1).pptx
byAmosCheruiyot13
 
PDF
Governing Agentic Enterprise - From Shadow AI to Autonomous Security.pdf
bysajjasridhar1990
 
Building Software in the AI Era: Spec-Driven Development with Kiro IDE
byHaim Michael
 
Chapter 2 Computer Threat .pdf
byGetnet Tigabie Askale -(GM)
 
JAVA Programming Lecture 1 C 4 Yourself.pptx
byyvsbglfaeahuyldzhq
 
6 Insights from the Patron Saint of AI Failure
byScott M. Graffius
 
How Blockchain Application Development Enables Trustless Digital Ecosystems.pptx
byLisa ward
 
JR : Quality Random Data from the Command line
byGiovanni Marigi
 
Mobile Onboarding UX 11 Best Practices for Retention (2026).pdf
byDesign Studio UI UX
 
Saga: The new era of transactions in a microservices architecture
byGiovanni Marigi
 
65 AI-related Posts Catalog https://tinyurl.com/mpavkr8z
byBob Marcus
 
A "Kill Switch" (Emergency Off Switch) for AI?
byScott M. Graffius
 
UNIT 1- Introduction to Basic of Computer Fundamentals
bypawarbhaktiit
 
Josh Chu Boston - An Innovative Technology Executive
byJosh Chu Boston
 
Digital Transformation Services The Key to Futureproofing Your Business
byQuadrafort Technolgies
 
Generating Structured Outputs from Unstructured Content Using LLMs
byEnterprise Knowledge
 
Lecture 04. about Black heads and Hackerss.pptx
byvinocol222
 
Early Signs of Constraint Loss in Modern System Design
byReality Drift Archive
 
Effective Ai powered mock interview .pdf
byamazingnishusingh766
 
Purple Team - Active Directory and AzureAD v1
byVICTOR MAESTRE RAMIREZ
 
Software Tools for penetration Testing (1).pptx
byAmosCheruiyot13
 
Governing Agentic Enterprise - From Shadow AI to Autonomous Security.pdf
bysajjasridhar1990
 

Hash length extension attacks

  • 1.
    Hash Length ExtensionAttacks Jerome Smith CamSec April 2017
  • 2.
    Introduction • An applicationuses this scheme as an integrity check: hash($secret + $message) // where + denotes concatenation • Whenever the message is potentially subject to interference, the hash is sent alongside • The theory goes that any message tampering will be detected • But this is potentially vulnerable to a “hash length extension attack” • Secret prefix • Attacker knows message and hash • Vulnerable algorithm, e.g. MD5, SHA-1, SHA-256, SHA-512 (not SHA-384) • Thanks to Soroush Dalili @irsdl
  • 3.
    What makes ahash vulnerable? • The hash algorithm chews on the input • At the end, the internal state of the hash algorithm is the hash it spits out • We can set the internal state of the hash algorithm to start from this point • We can then feed in more input • We now have a hash for a longer message that starts with the original input • It doesn’t matter if the input began with a secret, we don’t need to know it
  • 4.
    Exploitation • Sounds great,doesn’t it? POST /transfer HTTP/1.1 account_from=10203040&account_to=90807060&amount=100&hash=AABBCC112233 // where hash = MD5("SECERET1020304090807060100") • So we set our MD5 state to AABBCC112233, feed in a 0 and get a new hash • This will “validate”: account_from=10203040&account_to=90807060&amount=1000&hash=DDEEFF445566 // where hash = MD5("SECERET10203040908070601000") • Unfortunately it’s not that simple
  • 5.
    Deep dive • MD5is a block-based algorithm • Padding is used to prepare the input before it’s digested • Different algorithms use different schemes • Take a message M • The input that MD5 works on is: M + PADDING + LENGTH_OF_M • This will be some whole number of blocks in length • What does that mean for our attack?
  • 6.
    What’s really goingon account_from=10203040&account_to=90807060&amount=1000&hash=DDEEFF445566 • We’d like hash = MD5("SECERET10203040908070601000") • When we run our hash length extension attack, the input to the hash is really: "SECERET1020304090807060100" + PADDING + LENGTH + "0" + PADDING + LENGTH • The “message” we have a valid hash for is: "SECERET1020304090807060100" + PADDING + LENGTH + "0" • The app is checking hash($secret + $account_from + $account_to + $amount) • We need to preserve account_from=10203040&account_to=90807060 • So that leaves amount="100" + PADDING + LENGTH + "0" • The first PADDING + LENGTH was originally “metadata”: it’s now part of the data • The crafted input isn’t tolerated in context
  • 7.
    Demo • That’s notto say it can never work seller_id=1234&reference=widget&amount=145.20&hash=75b145717ad82cfefdcd74 0683e182f0 // where hash = MD5($secret + $seller_id + $reference + $amount) = MD5($secret + "1234widget145.20") = MD5($secret + "1234widget145.20" + PADDING + LENGTH) • So what about seller_id=1234&reference=widget145.20PADDINGLENGTH&amount=0.99&hash=398e6 d69a7fdf27744bd55cfdfc9fdb4 = MD5($secret + "1234widget145.20" + PADDING + LENGTH + "0.99") • This will work if the app accepts the weird reference value • https://github.com/iagox86/hash_extender ./hash_extender --data 1234widget145.20 --secret-min 8 --secret-max 12 -- append 0.99 --signature 75b145717ad82cfefdcd740683e182f0 --format md5
  • 8.
    Final Thoughts • Notalways exploitable – but when it is, impact can be high • Tricky to find in a pure black box test • If the hash scheme used a delimiter, the attack would still work • Just makes it harder to find – need to know delimiter as well • But it would stop a simpler attack: seller_id=1234&reference=widget&amount=145.20&hash=75b145717ad82cfefdcd 740683e182f0 seller_id=1234&reference=widget1&amount=45.20&hash=75b145717ad82cfefdcd 740683e182f0 • Secret suffix is vulnerable due to collisions • https://rdist.root.org/2009/10/29/stop-using-unsafe-keyed-hashes-use-hmac/ • We’ve already solved the MAC problem • “Length Extension Attacks” Burp App – not tested
  • 9.

Editor's Notes

  • #6 For MD5: PADDING is 0x80 plus null bytes LENGTH is bits in a little-endian 8 byte-field
  • #7 PADDING and LENGTH not necessarily printable bytes and make no sense in context of app
  • #8 Output of hash_extender is ASCII hex of $data + PADDING + LENGTH + $append PADDING starts 0x800000… LENGTH is length($secret + $data) in bits (“SUPERSECRET1234widget145.20” = 27 bytes = 216 bits = 0xD8) Need “data” parameter so it knows how much PADDING and LENGTH to tack on (technically could just be a number but output includes that data) Output differs with length of secret as longer secret -> shorter padding and shorter length, but “new signature” i.e. new hash same as we’re winding on the hash from the same start point (the given hash) with the same data appended
  • #9 Delimiter stops parameter manipulation when concatenation used Doesn’t stop hash length extension if delimiter known… ---------------------------------------- /hash/pay-delim.php seller_id=1234&reference=widget&amount=145.20&hash=f9243d9e5b806d8bb3e5746024f6c124 App is calculating: MD5($secret + ":1234:widget:145.20") Of course actually it’s calculating: MD5($secret + ":1234:widget:145.20" + PADDING + LENGTH) ./hash_extender --data :1234:widget:145.20 --secret-min 8 --secret-max 12 --append :0.99 --signature f9243d9e5b806d8bb3e5746024f6c124 --format md5 seller_id=1234&reference=widget:145.20%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%f0%00%00%00%00%00%00%00&amount=0.99&hash=05c695020d4e3bba16071d6c8b514b3a App calculates MD5($secret + ":1234:widget:145.20" + PADDING + LENGTH + ":0.99")