## Introduction
A Length Extension Attack is a type of cryptographic attack in which an attacker can use a hash of the value of a message (message1) and the length of that message to calculate the hash of a new message consisting of the original message and the attacker’s added message (message1 ‖ message2), without needing to know the contents of the original message (message1). This vulnerability is common in hash functions based on the Merkle-Damgaard design, such as MD5, SHA-1, and most SHA-2.
## Attack mechanism
The Merkle-Damgaard design is used in various hash functions to handle variable-length messages. It includes the following steps:
1. Message padding: The message is padded to a multiple of the block length (usually 512 bits).
2. Initialization: The initial hash value (IV) is initialized.
3. Block processing: The message is broken into blocks and each block is processed using compression that depends on the previous hash value and the current block.
4. Finalization: After processing all the blocks, the resulting value is the hash of the message.
A length extension attack takes advantage of the fact that an attacker can continue processing a message knowing only its hash and length. This allows it to calculate the hash of a new message, consisting of the original message and the appended fragment, without knowing the contents of the original message.
## Attack example
Let’s consider an example where the attacker knows the hash of message1 and its length. He can create a new message by adding message2 to the original message, and calculate the hash of the new message as follows:
1. Known hash: The attacker knows the hash of(message1).
2. Message Length: The attacker knows the length of the message1.
3. Addition: The attacker appends message1 to the required length.
4. Adding message2: The attacker adds message2 to the padded message1.
5. Hash Calculation: Using the known hash and the length of message1, the attacker can calculate the hash(message1 ‖ message2).
## Security recommendations
To protect against length extension attacks, it is recommended to avoid using hash functions based on the Merkle-Damgaard design, such as MD5, SHA-1, and most SHA-2. Instead, you should use hash functions that are resistant to such attacks, such as SHA-3, or use HMAC (Hash-based Message Authentication Code), which includes a secret key and protects against length extension attacks.
## Conclusion
The length extension attack is a serious vulnerability for hash functions based on the Merkle-Damgaard design. Attackers could use this vulnerability to calculate hashes of new messages without knowing the content of the original message. To protect against such attacks, it is recommended to use more modern and secure hash functions such as SHA-3, or use HMAC to ensure message integrity and authenticity.
## Links
