!!! Overview [1] [2]
[{$pagename}] where an [attacker] can use [Hash](message1) and the length of message1 to calculate [Hash](message1 ‖ message2) for an [attacker]-controlled message2. 

In this [context], signing a message is done by prepending the [secret] to the [hash] value and can be verified by any recipient who also shares the [secret]. 
[{$pagename}] can be used to sign a message when a Merkle–Damgård based [hash] __is misused__ as a [Message Authentication Code], allowing for inclusion of extra information at the end of the current [message].

[{$pagename}] can be done on hashes with construction H(secret ‖ message) when [message] and the length of secret is known. [Algorithms] like [MD5], [SHA-1], and [SHA-2] that are based on the [Merkle-Damgard construction] are susceptible to this kind of [attack]. '

%%information
[HMAC] hashes are not prone to [{$pagename}].
%%


[SHA-3] [algorithm] is not susceptible to the [{$pagename}]



!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Length_extension_attack|Wikipedia:Length_extension_attack|target='_blank'] - based on information obtained 2018-08-28- 
* [#2] - [Everything you need to know about hash length extension attacks|https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks|target='_blank'] - based on information obtained 2018-08-28-