Length extension attack

Overview [1] [2]#

Length extension attack where an attacker can use Hash(message1) and the length of message1 to calculate Hash(message1 ‖ message2) for an attacker-controlled message2.

In this context, signing a message is done by prepending the secret to the hash value and can be verified by any recipient who also shares the secret. Length extension attack can be used to sign a message when a Merkle–Damgård based hash is misused as a Message Authentication Code, allowing for inclusion of extra information at the end of the current message.

Length extension attack can be done on hashes with construction H(secret ‖ message) when message and the length of secret is known. Algorithms like MD5, SHA-1, and SHA-2 that are based on the Merkle-Damgard construction are susceptible to this kind of attack. '

HMAC hashes are not prone to Length extension attack.

SHA-3 algorithm is not susceptible to the Length extension attack

More Information#

There might be more information for this subject on one of the following: