size_t Does Matter Hash Length Extension Attacks Explained Mika - - PowerPoint PPT Presentation

size t does matter
SMART_READER_LITE
LIVE PREVIEW

size_t Does Matter Hash Length Extension Attacks Explained Mika - - PowerPoint PPT Presentation

Oct 06, 2023 352 likes •542 views

size_t Does Matter Hash Length Extension Attacks Explained Mika Bostrm <bostik@iki.fi>, <mika.bostrom@smarkets.com> dc4420, 2015-10-29 Cryptographic Hash Properties Digest Size (n bits) Input Block Size (m bits) m >

slide-1
SLIDE 1

size_t Does Matter

Mika Boström <bostik@iki.fi>, <mika.bostrom@smarkets.com> dc4420, 2015-10-29

Hash Length Extension Attacks Explained

slide-2
SLIDE 2

Cryptographic Hash Properties

  • Digest Size (n bits)
  • Input Block Size (m bits)
  • m > n
  • Input processed block at a time
  • Mutates internal state
  • In other words: blocks are chained
  • Merkle-Damgård: last block padded, includes

number of bytes processed

slide-3
SLIDE 3

Hash Length Extension

  • ”Append data to a keyed hash, without knowing the

key, and calculate a valid hash with your data included”

  • Or, programmer friendly:

– H1 = H(key + data + padding) – Transmit H1, data – Attacker: append $EVILDATA, calculate H2 – Transmit: H2, (data+$EVILDATA) – Receiver: calculate H = (key + received data)

  • H = H2
slide-4
SLIDE 4

SHA-1 Properties

  • 160-bit output
  • 512-bit input block
  • Merkle-Damgård construct

– Yes, that Merkle

slide-5
SLIDE 5

SHA-1 Internal State

struct SHA1State { uint32 A; uint32 B; uint32 C; uint32 D; uint32 E; }

slide-6
SLIDE 6

SHA-1 Internal State

struct SHA1State { uint32 A; uint32 B; uint32 C; uint32 D; uint32 E; }

slide-7
SLIDE 7

SHA-1 Final Hash … visualised

Uint32 A Uint32 B Uint32 C Uint32 D Uint32 E

slide-8
SLIDE 8

Keyed Hash

  • Secret shared key
  • Known payload data
  • Hash = H(key + data)

Looks a bit like … salted hash?

slide-9
SLIDE 9

Hash Extension Illustrated

slide-10
SLIDE 10

Hash Extension Illustrated

  • Key + padding missing
  • Padding: includes number of bytes hashed
  • Guess key length, calculate padding!
slide-11
SLIDE 11

Hash Extension Illustrated

slide-12
SLIDE 12

Hash Extension Illustrated

  • Hash is valid over the whole of preceding

data, with the key prefixed

  • Attacker did not need to know the shared key
  • Effect of EVIL DATA depends on

implementation

  • Would you guarantee your implementation

handles every possible case of malformed but accepted-as-good input?

slide-13
SLIDE 13

Morale Of The Story

  • Keyed hash as authentication method: broken
  • Just use HMAC instead
  • … even with SHA-3
  • … because someone could plug a vulnerable

hash into the construct

  • Applied crypto is a world of cargo-culting
slide-14
SLIDE 14

Trivia: Also Vulnerable

  • MD5 (d'oh)
  • SHA-256
  • SHA-512
  • RIPEMD-160
slide-15
SLIDE 15

Trivia: Not Vulnerable

  • SHA-384 (truncated)
  • SHA-256/512 (truncated)
  • SHA-3 (incomplete state export)
slide-16
SLIDE 16

Code Gone Wild

  • https://github.com/stephenbradshaw/hlextend
  • https://github.com/bwall/HashPump
  • https://github.com/iagox86/hash_extender
  • Just to name a few
slide-17
SLIDE 17

Question Time