Hash Length Extension
What's affected ?
- Hashing algorithm which uses the "Merkle-Damgard" structure.
- Example : MD5, SHA1, SHA256, SHA512
Merkle-Damgard
S = F(S, B)
Basic operation
Block (B) - Fixed size
In State (S)
Fixed size
Out State (S)
Fixed size
This function let's you hash a fixed size message.
Merkle-Damgard
Basic operation
- The "F" function for MD5 :
https://gist.github.com/HoLyVieR/11e464a91b290e33b38e#file-md5-py-L230
- Name that you will see in other implementation
- transform
- md5_compress
- The "state" parameter is often defined as a class variable.
Merkle-Damgard
Hashing variable length message
- Block chaining
- Requires padding
- The output of the last chain is the "hash".
Merkle-Damgard
Padding
- For MD5
- Append "\x80".
- Append "\x00" until there's only 8 bytes to fill.
- Append the size of the message on 8 bytes.
- https://gist.github.com/HoLyVieR/11e464a91b290e33b38e#file-md5-py-L215
Merkle-Damgard
source : http://commons.wikimedia.org/wiki/File:Merkle-Damgard_hash_big.svg
Chaining
- The IV is a constant for the hashing algorithm
- MD5 doesn't have a finalisation step
Extension
Extension
- The output will be the hash of :
- Initial message +
- Padding of the initial message +
- Appended message
- This is interesting because we can predict a hash output even if part of the initial message is unknown.
Example
- Broken signature method
- Hash/Signature = MD5(shared secret + message)
- If we extend the hash, the new hash will be the hash of
- Initial message (shared secret + message) +
- Padding of initial message +
- Appended message
- Result is "shared secret + message + padding + new message"
- The result obtained is the hash/signature of "message + padding + new message"
- Merkle-Damgard hashing algorithm can be used safely for signature, but you need the HMAC structure for that !
Challenges
- Main challenge
- Win at the lottery
-
https://gist.github.com/HoLyVieR/bbbe95bfa492ef57fd62
- Extra challenge
- Find the value of "FIND_ME"
- https://gist.github.com/HoLyVieR/947bedcb763df27f3e9a
IP : 172.20.64.108
Challenges
- Hints (1)
- Part of the output of the hash can obtained by setting the odds really high !
- Figure a way to test missing bytes.
Challenges
- Hints (1)
- Part of the output of the hash can obtained by betting a lot of money !
- Figure a way to test missing bits.
- Hints (2)
- To test the missing bits, bid
- "a" = XXXXab87a7b88a8a.... = H(S + "a" + padding)
- "a" + padding + "b" = H(S + "a" + padding + "b" + padding)
- Bruteforce the missing bits of the 1st bid until the extension gives output the 2nd bid.
- You can now predict the output, bid wisely and make a lot cash.
- To test the missing bits, bid
Challenges
- Solutions
- https://gist.github.com/HoLyVieR/2224af63adb804b68cef
- https://gist.github.com/HoLyVieR/912a7769e90ded9fcda3
Hash Length Extension - MontreHack
By Olivier Arteau
Hash Length Extension - MontreHack
- 2,142