A length extension attack is a cryptographic attack that targets hash functions that use the Merkle-Damgård construction, which includes popular hash functions like MD5 and SHA-1. The attack takes advantage of the way these hash functions process input by dividing it into blocks and iteratively updating an internal state. The output of the hash function is typically the final state after processing the entire input.
Here’s how a length extension attack works:
- The attacker knows the length of the original message and the hash of that message.
- The attacker appends additional data (the extension) to the original message without knowing its content.
- The attacker then calculates the new hash by initializing the internal state of the hash function with the known hash value and continues the hashing process using the appended extension.
- Since the hash function uses the length of the input to determine the internal state, the attacker can compute the intermediate state of the hash function after the original message and then continue hashing the extension.
- The resulting hash from step 4 is now the hash of the original message concatenated with the extension, even though the attacker doesn’t know the content of the original message.
This attack is possible because the Merkle-Damgård construction doesn’t include the length of the input as part of the hash output. Therefore, an attacker can forge a valid hash by extending the input and recomputing the hash starting from the known hash.
To mitigate length extension attacks, it is recommended to use hash functions that are designed with built-in protections, such as the SHA-3 family (e.g., SHA3-256, SHA3-512) or the SHA-2 variants (e.g., SHA-256, SHA-512). These hash functions employ different constructions that do not exhibit the vulnerability to length extension attacks present in Merkle-Damgård-based hash functions.