Understanding Length Extension Attacks on Hash Functions

workshop 2 length extension attack n.w
1 / 19
Embed
Share

Explore the concept of length extension attacks on hash functions, learn how they can be used to append data to signed messages, and gain practical experience in executing such attacks. Understand the vulnerabilities in Merkle-Damgård construction and how attackers can exploit them to include extra data without knowledge of the secret key.

  • Hash Functions
  • Data Security
  • Merkle-Damgård
  • Cybersecurity
  • Length Extension
rayaanacharya
wkie Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Workshop 2: Length Extension Attack Zhou Peng March 07, 2014

  2. Objectives Understand one-way hash function and message digest. Understand how to use length extension attack to append data to a signed message Obtain hands-on experience for length extension attack 2

  3. One-way Hash Function A function that is easy to compute on every input, but hard to invert given random inputs Let h() be a one-way function Assuming h(a)=b Given a, it is easy to compute b Given b, it is hard to compute a MD5, SHA-1, SHA-256 etc. Try SHA-1 calculator at http://www.xorbin.com/tools/sha1- hash-calculator References: http://en.wikipedia.org/wiki/Cryptographic_hash_function 3

  4. Message Authentication Code (MAC) MAC is used to verify the data integrity of a message Using a one-way function to calculate a hash value of a secret concatenated by a given message Let m be a message and s be a secret. Let s||m be s concatenated by m Secret s is used for authentication Message digest h(s||m) is used by the receiver to verify whether message m is modified by attackers in transit. Why? References: http://en.wikipedia.org/wiki/Message_authentication_cod e 4

  5. Length Extension Attacks A type of attack against hash functions which allow inclusion of extra data without the knowledge of secret Attack details Knowledge: h(s||m) and m, Target: Appends m to m, and computes correct h(s||m||m ) Exploit: A vulnerability in Merkle Damg rd construction, which literately calls hash functions on a message block basis. References: http://en.wikipedia.org/wiki/Length_extension_attack 5

  6. MerkleDamgrd construction Merkle Damg rd construction breaks original data (s||m) into message blocks. Let b be the size of a message block. If (s||m)%b! = 0, an additional content p should be padded to s||m to ensure (s||m||p)%b == 0. References: http://en.wikipedia.org/wiki/Length_extension_attack 6

  7. MerkleDamgrd construction Merkle Damg rd constructs a hash chain based on message blocks, where each hash value of predecessor is used as the input to the successor hash function References: http://en.wikipedia.org/wiki/Length_extension_attack 7

  8. Vulnerability Attackers have the knowledge of h(s||m||p) and m. Attackers should guess the length of the secret s to compute p. Attackers thus can append arbitrary data to original data with its paddings (i.e., m||p) and can compute the correct hash of the appended message. Why? 8

  9. Vulnerability The original data of h(s||m||p||m ||p ) is m||p||m , where m is the data controlled by attackers and p requires the attackers to guess. Guessing the length of secret s is the key to compute the padding content p!!! 9

  10. Public Padding Pattern The padded data p follows a standard: The first bit of p is 1, then followed by many successive 0 bits until 64 bits left for the padding length of s||m. References: https://blog.skullsecurity.org/2012/everything-you- need-to-know-about-hash-length-extension-attacks 10

  11. Padding Details Given a length of (s||m) 80 bits (10 bytes). Pad (512-80) = 432 bits in total First pad format-fixed (512-80 -64) = 368 bits. The 368 bits of padding is (10000000 .000), 1 1 and 367 0 The last 64 bits for padding the length of s||m Attackers should guess length of s||m. Length extension attack! References: https://blog.skullsecurity.org/2012/everything-you- need-to-know-about-hash-length-extension-attacks11

  12. A Length Extension Attack Example Assuming the secret is password , the original data is data , then the SHA-1 signature is 6f5a7284246a7693c5f37f19f26609af84f56431 Attackers attempt to append attacking to the original data. The new data is (you see %60 as the length of (s||m) = 12bytes = 96 (0x60) bits) data%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%0 0%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00% 00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%60 attacking The new signature is a2feef179114b40605307e0ca260a3e72a56017c 12

  13. Tool hash_extender: https://github.com/iagox86/hash_extender VM: Y:\Tutorials\VM_image\Ubuntu12\ubuntu_xp.cmd Command line usage: sudo apt-get install git g++ libssl-dev git clone https://github.com/iagox86/hash_extender cd hash_extender/ make ./hash_extender h ./hash_extender -d data -a attacking -l 8 -s 6f5a7284246a7693c5f37f19f26609af84f56431 -f sha1 --out- data-format=html 13

  14. Demo Page http://158.132.255.16:25005/comp444/demo.php?d=data&h=6f5a7284246a7 693c5f37f19f26609af84f56431 Attacker knows the hash function is SHA-1() and the length of secret is 8. They try to append new data attacking to the end of the original data: http://158.132.255.16:25005/comp444/demo.php?d=dataattacking&h=6f5a7284246a7693c5 f37f19f26609af84f56431 See what happens? ./hash_extender -d data -a attacking -l 8 -s 6f5a7284246a7693c5f37f19f26609af84f56431 -f sha1 --out-data-format=html Type: sha1 Secret length: 8 New signature: a2feef179114b40605307e0ca260a3e72a56017c New string: data%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00 %00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00 %00%00%00%00%00%00%00%00%00%00%00%00%60attacking http://158.132.255.16:25005/comp444/demo.php?d=data%80%00%00%00%00%00%00%00 %00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00 %00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%60 attacking&h=a2feef179114b40605307e0ca260a3e72a56017c See what happens? 14

  15. Preventing Length Extension Attack Possible Solutions MAC: h(s||m||s) HMAC: h(s opad ||h(s ipad ||m)) Try HMAC at http://www.freeformatter.com/hmac- generator.html Whether the length extension attack is defeated? Reference: http://en.wikipedia.org/wiki/Hash- based_message_authentication_code 15

  16. Problems 1. Given a secret password , a SHA-1 hash 6d5f807e23db210bc254a28be2d6759a0f5f5d77 and an original data polyu , please append a new message computing to the end of original data, and let me know the result of appended data and the new digest. (10 marks) a. Please use out-data-format=html for your answer. 2. Given a vulnerable web page http://158.132.255.16:25005/comp444/assignment.php?d=data&h=46071a 0ad0dc4c51e83d05410ff80b80f3ee6cc1, please append a new message attacking to the end of parameter d and make web server accepts your data (you should see the message Your hash is correct. Great! in your browser). Answer the following questions: a. Hong long of the secret used by the vulnerable page? (5 marks) b. What is the new digest when you successfully append attacking ? (5 marks) 16

  17. Problems (Cont.) 3. Given a block size of 512bits, is it possible that the size of padding content larger than 512 bits? If no, please elaborate your reason. If yes, please give examples. (10 marks) Hint: each padding must have 64-bits padding length and at least one bit. 4. Test whether other well-known hash functions (http://en.wikipedia.org/wiki/Cryptographic_ha sh_function, except for SHA-1 and MD5) suffer from the length extension attacks (1 mark each). Include the output of each successful attack. 17

  18. Submission The questions will be submitted with other workshop questions at the end of the term. 18

  19. Questions? 19

Related


Stronger Connections Grant

Stronger Connections Grant

mikhail
[PDF READ ONLINE] Mountain Claiming (BIG-Secrets of Mountain Men Book 3)

[PDF READ ONLINE] Mountain Claiming (BIG-Secrets of Mountain Men Book 3)

seandavissahyt
Improving Academic Achievement: Mater Academy of St. Cloud School Initiatives

Improving Academic Achievement: Mater Academy of St. Cloud School Initiatives

madalyn
A CMS Statistics Tool in WinCC OA by Hanna Lea Kumhera

A CMS Statistics Tool in WinCC OA by Hanna Lea Kumhera

euphemia
Moodle Gradebook Setup Guide for Teachers

Moodle Gradebook Setup Guide for Teachers

raphaela
Title I: Parental Involvement in Education

Title I: Parental Involvement in Education

foster
LEA Certification Officer & CSA Emergency Permits Overview

LEA Certification Officer & CSA Emergency Permits Overview

theodosia
Collaborative Plan for Pre-Employment Transition Services between LEA and IVRS

Collaborative Plan for Pre-Employment Transition Services between LEA and IVRS

damari
Effective Learning Event Analysis: A Key Aspect for Quality Improvement

Effective Learning Event Analysis: A Key Aspect for Quality Improvement

elmo
Guide to Keystone Exams Reporting Procedures

Guide to Keystone Exams Reporting Procedures

laylarose
Top Schools in Serilingampally Hyderabad Epistemo Vikas Leadership Excellence

Top Schools in Serilingampally Hyderabad Epistemo Vikas Leadership Excellence

Epistemo
Bridging the Gap for Incoming Transfer Students in Libraries

Bridging the Gap for Incoming Transfer Students in Libraries

cjas
Montana OPI Virtual Work Session for New Users: Accreditation & Educator Preparation

Montana OPI Virtual Work Session for New Users: Accreditation & Educator Preparation

bmore
Georgia's LEA Consolidated Application Process

Georgia's LEA Consolidated Application Process

lweig
Exploration of Brent's Journey Through Objects in

Exploration of Brent's Journey Through Objects in "BioBag Gallery Exhibit

sena_9
Educational Stability for Children in Foster Care

Educational Stability for Children in Foster Care

annera
Strong Objection to Proposed Lea Castle Sand Quarry in Cookley

Strong Objection to Proposed Lea Castle Sand Quarry in Cookley

ibran
Student of the Year Guidelines and Selection Process Overview

Student of the Year Guidelines and Selection Process Overview

kokoszka_k
Academic and Student Well-Being Plan Components

Academic and Student Well-Being Plan Components

nowa_71
Vendor Sources for Transportation Inventory and Supplies

Vendor Sources for Transportation Inventory and Supplies

abijah
Best Blocked Drain Services in Abbotsford

Best Blocked Drain Services in Abbotsford

Jack3
Changes in Stakeholder Engagement for Indicator 3 Baseline and Target Setting

Changes in Stakeholder Engagement for Indicator 3 Baseline and Target Setting

try_ras

More Related Content