Hash Length Extension

What's affected ?

  • Hashing algorithm which uses the "Merkle-Damgard" structure.
     
  • Example : MD5, SHA1, SHA256, SHA512

Merkle-Damgard

S = F(S, B)

Basic operation

Block (B) - Fixed size

In State (S)

Fixed size

Out State (S)

Fixed size

This function let's you hash a fixed size message.

Merkle-Damgard

Basic operation

  • The "F" function for MD5 :

    https://gist.github.com/HoLyVieR/11e464a91b290e33b38e#file-md5-py-L230
     
  • Name that you will see in other implementation
    • transform
    • md5_compress
       
  • The "state" parameter is often defined as a class variable.

 

Merkle-Damgard

Hashing variable length message

  • Block chaining
    • Requires padding
    • The output of the last chain is the "hash".

Merkle-Damgard

Padding

  • For MD5
    • Append "\x80".
    • Append "\x00" until there's only 8 bytes to fill.
    • Append the size of the message on 8 bytes.
    • https://gist.github.com/HoLyVieR/11e464a91b290e33b38e#file-md5-py-L215

Merkle-Damgard

source : http://commons.wikimedia.org/wiki/File:Merkle-Damgard_hash_big.svg

Chaining

  • The IV is a constant for the hashing algorithm
  • MD5 doesn't have a finalisation step

Extension

Extension

  • The output will be the hash of :
    • Initial message                            +
    • Padding of the initial message +
    • Appended message
       
  • This is interesting because we can predict a hash output even if part of the initial message is unknown.

Example

  • Broken signature method
    • Hash/Signature = MD5(shared secret + message)
    • If we extend the hash, the new hash will be the hash of
      • Initial message (shared secret + message)  +
      • Padding of initial message +
      • Appended message                                        
      • Result is "shared secret + message + padding + new message"
    • The result obtained is the hash/signature of "message + padding + new message"
  • Merkle-Damgard hashing algorithm can be used safely for signature, but you need the HMAC structure for that !

Challenges

IP : 172.20.64.108

Challenges

  • Hints (1)
    • Part of the output of the hash can obtained by setting the odds really high !
    • Figure a way to test missing bytes.

Challenges

  • Hints (1)
    • Part of the output of the hash can obtained by betting a lot of money !
    • Figure a way to test missing bits.

  • Hints (2)
    • To test the missing bits, bid
      • "a" = XXXXab87a7b88a8a.... = H(S + "a" + padding)
      • "a" + padding + "b" = H(S + "a" + padding + "b" + padding)
    • Bruteforce the missing bits of the 1st bid until the extension gives output the 2nd bid.
    • You can now predict the output, bid wisely and make a lot cash.

Challenges

  • Solutions
    • https://gist.github.com/HoLyVieR/2224af63adb804b68cef
    • https://gist.github.com/HoLyVieR/912a7769e90ded9fcda3

Hash Length Extension - MontreHack

By Olivier Arteau

Hash Length Extension - MontreHack

  • 2,142