TL;DR
Hash length extension attacks exploit weaknesses in how some hash functions are used with message authentication codes (MACs). You can avoid them by using a keyed-hash function like HMAC, or by prepending the data with a secret key before hashing. Don’t build your own MACs; use established libraries.
Understanding Hash Length Extension Attacks
Imagine you have a message and its hash. An attacker can add extra data to the original message without knowing the original message itself, and still calculate a valid hash for the combined result – if they know the length of the original message. This is because many simple MAC constructions are vulnerable.
Why They Happen
The problem arises when you simply concatenate a secret key with your data and then hash it. Hash functions like MD5, SHA-1, and SHA-256 have this property: knowing the length of the original message allows an attacker to ‘extend’ the hash.
How to Prevent Hash Length Extension Attacks
- Use HMAC (Hash-based Message Authentication Code): This is the best solution. HMAC uses a secret key and a cryptographic hash function in a way that prevents length extension attacks. Most programming languages have built-in HMAC implementations.
# Python example import hmac import hashlib key = b'secret_key' message = b'This is the message' hmac_obj = hmac.new(key, message, hashlib.sha256) digested = hmac_obj.digest() print(digested) - Use a Keyed-Hash Function with Prepending: If you can’t use HMAC for some reason (very rare), prepend the secret key to your data before hashing.
# Example in pseudocode secret_key = "mysecret" data = "important message" hash_input = secret_key + data hash = hash_function(hash_input)This makes it much harder for an attacker to manipulate the hash without knowing the key.
- Avoid Building Your Own MACs: Seriously, don’t do this! Cryptography is hard, and subtle errors can lead to serious security vulnerabilities. Use well-vetted libraries like OpenSSL or those provided by your programming language.
- Using a library ensures the correct implementation of cryptographic primitives.
- Libraries are often updated to address new attacks.
- Salt Your Data: While not a direct fix for length extension, adding a random salt before hashing increases security against other types of attacks (like rainbow table attacks) and can make exploitation more difficult.
# Example in Python import os salt = os.urandom(16) data = "important message" hash_input = salt + data hash = hashlib.sha256(hash_input).hexdigest() - Consider Using More Modern Hash Functions: SHA-3 is a more recent hash function family that offers improved security properties compared to older algorithms like MD5 and SHA-1. However, this alone doesn’t prevent length extension attacks if you are using a vulnerable MAC construction.
Important Considerations
- Key Management: The security of your system depends on keeping the secret key safe. Use strong key generation practices and secure storage mechanisms.
- Library Updates: Regularly update your cryptographic libraries to benefit from bug fixes and security improvements.