Presentation is loading. Please wait.

Presentation is loading. Please wait.

Workshop 2: Length Extension Attack Zhou Peng March 07, 2014.

Published byKian Tremelling Modified over 9 years ago

Similar presentations

Presentation on theme: "Workshop 2: Length Extension Attack Zhou Peng March 07, 2014."— Presentation transcript:

1 Workshop 2: Length Extension Attack Zhou Peng March 07, 2014

2 Objectives Understand one-way hash function and message digest. Understand how to use length extension attack to append data to a signed message Obtain hands-on experience for length extension attack 2

3 One-way Hash Function A function that is easy to compute on every input, but hard to invert given random inputs – Let h() be a one-way function Assuming h(a)=b Given a, it is easy to compute b Given b, it is hard to compute a – MD5, SHA-1, SHA-256 etc. – Try SHA-1 calculator at http://www.xorbin.com/tools/sha1- hash-calculatorhttp://www.xorbin.com/tools/sha1- hash-calculator References: – http://en.wikipedia.org/wiki/Cryptographic_hash_function http://en.wikipedia.org/wiki/Cryptographic_hash_function 3

4 Message Authentication Code (MAC) MAC is used to verify the data integrity of a message – Using a one-way function to calculate a hash value of a secret concatenated by a given message – Let m be a message and s be a secret. Let s || m be s concatenated by m – Secret s is used for authentication – Message digest h(s || m) is used by the receiver to verify whether message m is modified by attackers in transit. Why? References: – http://en.wikipedia.org/wiki/Message_authentication_cod e http://en.wikipedia.org/wiki/Message_authentication_cod e 4

5 Length Extension Attacks A type of attack against hash functions which allow inclusion of extra data without the knowledge of secret Attack details – Knowledge: h(s || m) and m, – Target: Appends m’ to m, and computes correct h(s || m || m’) – Exploit: A vulnerability in Merkle–Damgård construction, which literately calls hash functions on a message block basis. References: – http://en.wikipedia.org/wiki/Length_extension_attack http://en.wikipedia.org/wiki/Length_extension_attack 5

6 Merkle–Damgård construction Merkle–Damgård construction breaks original data (s || m) into message blocks. Let b be the size of a message block. – If (s || m)%b! = 0, an additional content p should be padded to s || m to ensure (s || m || p)%b == 0. References: – http://en.wikipedia.org/wiki/Length_extension_attack http://en.wikipedia.org/wiki/Length_extension_attack 6

7 Merkle–Damgård construction Merkle–Damgård constructs a hash chain based on message blocks, where each hash value of predecessor is used as the input to the successor hash function References: – http://en.wikipedia.org/wiki/Length_extension_attack http://en.wikipedia.org/wiki/Length_extension_attack 7

8 Vulnerability Attackers have the knowledge of h(s || m || p) and m. Attackers should guess the length of the secret s to compute p. Attackers thus can append arbitrary data to original data with its paddings (i.e., m || p) and can compute the correct hash of the appended message. Why? 8

9 Vulnerability The original data of h(s || m || p || m’ || p’) is m || p || m’, where m’ is the data controlled by attackers and p requires the attackers to guess. Guessing the length of secret s is the key to compute the padding content p!!! 9

10 Public Padding Pattern The padded data p follows a standard: – The first bit of p is ‘1,’ then followed by many successive 0 bits until 64 bits left for the padding length of s || m. References: – https://blog.skullsecurity.org/2012/everything-you- need-to-know-about-hash-length-extension-attacks https://blog.skullsecurity.org/2012/everything-you- need-to-know-about-hash-length-extension-attacks 10

11 Padding Details Given a length of (s || m) 80 bits (10 bytes). Pad (512-80) = 432 bits in total First pad format-fixed (512-80 -64) = 368 bits. The 368 bits of padding is (10000000….000), 1 ‘1’ and 367 ‘0’ The last 64 bits for padding the length of s || m Attackers should guess length of s || m. – Length extension attack! References: – https://blog.skullsecurity.org/2012/everything-you- need-to-know-about-hash-length-extension-attacks https://blog.skullsecurity.org/2012/everything-you- need-to-know-about-hash-length-extension-attacks 11

12 A Length Extension Attack Example Assuming the secret is “password”, the original data is “data”, then the SHA-1 signature is 6f5a7284246a7693c5f37f19f26609af84f56431 Attackers attempt to append “attacking” to the original data. The new data is (you see %60 as the length of (s || m) = 12bytes = 96 (0x60) bits) data%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%0 0%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00% 00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%60 attacking The new signature is a2feef179114b40605307e0ca260a3e72a56017c 12

13 Tool hash_extender: – https://github.com/iagox86/hash_extender https://github.com/iagox86/hash_extender – VM: Y:\Tutorials\VM_image\Ubuntu12\ubuntu_xp.cmd – Command line usage: sudo apt-get install git g++ libssl-dev git clone https://github.com/iagox86/hash_extenderhttps://github.com/iagox86/hash_extender cd hash_extender/ make./hash_extender –h./hash_extender -d data -a attacking -l 8 -s 6f5a7284246a7693c5f37f19f26609af84f56431 -f sha1 --out- data-format=html 13

14 Demo Page http://158.132.255.16:25005/comp444/demo.php?d=data&h=6f5a7284246a7 693c5f37f19f26609af84f56431 http://158.132.255.16:25005/comp444/demo.php?d=data&h=6f5a7284246a7 693c5f37f19f26609af84f56431 Attacker knows the hash function is SHA-1() and the length of secret is 8. They try to append new data “attacking” to the end of the original data: – http://158.132.255.16:25005/comp444/demo.php?d=dataattacking&h=6f5a7284246a7693c5 f37f19f26609af84f56431 http://158.132.255.16:25005/comp444/demo.php?d=dataattacking&h=6f5a7284246a7693c5 f37f19f26609af84f56431 See what happens? –./hash_extender -d data -a attacking -l 8 -s 6f5a7284246a7693c5f37f19f26609af84f56431 -f sha1 --out-data-format=html Type: sha1 Secret length: 8 New signature: a2feef179114b40605307e0ca260a3e72a56017c New string: data%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00 %00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00 %00%00%00%00%00%00%00%00%00%00%00%00%60attacking – http://158.132.255.16:25005/comp444/demo.php?d=data%80%00%00%00%00%00%00%00 %00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00 %00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%60 attacking&h=a2feef179114b40605307e0ca260a3e72a56017c http://158.132.255.16:25005/comp444/demo.php?d=data%80%00%00%00%00%00%00%00 %00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00 %00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%60 attacking&h=a2feef179114b40605307e0ca260a3e72a56017c See what happens? 14

15 Preventing Length Extension Attack Possible Solutions – MAC: h(s || m || s) – HMAC: h(s  opad ||h(s  ipad ||m)) – Try HMAC at http://www.freeformatter.com/hmac- generator.htmlhttp://www.freeformatter.com/hmac- generator.html Whether the length extension attack is defeated? Reference: http://en.wikipedia.org/wiki/Hash- based_message_authentication_codehttp://en.wikipedia.org/wiki/Hash- based_message_authentication_code 15

16 Problems 1.Given a secret “password”, a SHA-1 hash 6d5f807e23db210bc254a28be2d6759a0f5f5d77 and an original data “polyu”, please append a new message “computing” to the end of original data, and let me know the result of appended data and the new digest. (10 marks) a.Please use out-data-format=html for your answer. 2.Given a vulnerable web page http://158.132.255.16:25005/comp444/assignment.php?d=data&h=46071a 0ad0dc4c51e83d05410ff80b80f3ee6cc1, please append a new message “attacking” to the end of parameter d and make web server accepts your data (you should see the message ” Your hash is correct. Great!” in your browser). Answer the following questions: http://158.132.255.16:25005/comp444/assignment.php?d=data&h=46071a 0ad0dc4c51e83d05410ff80b80f3ee6cc1 a.Hong long of the secret used by the vulnerable page? (5 marks) b.What is the new digest when you successfully append “attacking”? (5 marks) 16

17 Problems (Cont.) 3.Given a block size of 512bits, is it possible that the size of padding content larger than 512 bits? If no, please elaborate your reason. If yes, please give examples. (10 marks) Hint: each padding must have 64-bits padding length and at least one bit. 4.Test whether other well-known hash functions (http://en.wikipedia.org/wiki/Cryptographic_ha sh_function, except for SHA-1 and MD5) suffer from the length extension attacks (1 mark each).http://en.wikipedia.org/wiki/Cryptographic_ha sh_function Include the output of each successful attack. 17

18 Submission The questions will be submitted with other workshop questions at the end of the term. 18

19 Questions? 19

Download ppt "Workshop 2: Length Extension Attack Zhou Peng March 07, 2014."

Similar presentations

Symmetric Message Authentication Codes Prof. Ravi Sandhu.

Symmetric Message Authentication Codes Prof. Ravi Sandhu.
Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.
Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
Lecture 7 Overview. Advanced Encryption Standard 10, 12, 14 rounds for 128, 192, 256 bit keys – Regular Rounds (9, 11, 13) – Final Round is different.

Lecture 7 Overview. Advanced Encryption Standard 10, 12, 14 rounds for 128, 192, 256 bit keys – Regular Rounds (9, 11, 13) – Final Round is different.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Cryptographic Hash Functions Rocky K. C. Chang, February 2013 1.

Cryptographic Hash Functions Rocky K. C. Chang, February
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
MD Collision Sought Marian Ščerbák University of Pavol Jozef Šafárik Košice.

MD Collision Sought Marian Ščerbák University of Pavol Jozef Šafárik Košice.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694.

1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.

Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.

Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.
CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.

CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.

Similar presentations

Ads by Google