0

I've been reading about SHA-1. I read that SHA-1 is insecure as it uses the Merkle-Damgård construction and the Merkle-Damgård construction is — according to Wikipedia — susceptible to a variety of attacks. However, I have not been able to come up with a single example of how these work.

Can someone give me an example of a length extension attack?

e-sushi
  • 17,891
  • 12
  • 83
  • 229
Prachi
  • 101
  • 2
  • 1
    http://www.skullsecurity.org/blog/2012/everything-you-need-to-know-about-hash-length-extension-attacks explains it pretty well. – orlp Aug 08 '13 at 01:56
  • 3
    I think you, to some extent, misinterpreted the wikipedia entry. The fact that Merkle-Damgård has certain potentially undesirable features, does not per se imply that SHA-1 (or any other MD hash) is insecure. It just means that some care has to be taken when using MD hashes as building blocks for higher level schemes. – Henrick Hellström Aug 08 '13 at 01:59
  • I see what you mean. Don't use Merkle-Damgard. Use an enhanced/modified version. But there has to be some major reason why NIST decided to come up with SHA-2 and SHA-3 subsequently. Surely, if being careful while implementing/using SHA-1 solved the problem of security, we wouldn't need SHA-2/SHA-3? I did read somewhere that SHA-2 also uses the Merkle-Damgard construction and there have been theoretical attacks against it. But I still haven't read much about SHA-2. So I still don't know why it is better than SHA-1. – Prachi Aug 08 '13 at 02:25
  • 1
    Found another useful link that explains Length Extension Attack: http://crypto.stackexchange.com/questions/3978/understanding-a-length-extension-attack – Prachi Aug 08 '13 at 02:48
  • @Prachi NIST felt uncomfortable that in the unfortunate event of a successful attack against SHA-2 there would be no secure vetted algorithm left - hence SHA-3 was born. You could say that SHA-3 is the backup plan. – orlp Aug 08 '13 at 03:01
  • Yes, I've read that SHA-3 is not a replacement for SHA-2, but rather an alternative for SHA-2 as it has a totally different construction from SHA-1 and SHA-2. There have been no successful practical attacks against SHA-2. – Prachi Aug 08 '13 at 03:30
  • I also understood what @Henrick was saying earlier. Successful collision attacks have been made against SHA-1. The undesirable properties of the Merkle-Damgard construction just worsens the situation. For example, after a successful collision attack, the attacker can find more collisions very cheaply. That does not mean that the undesirable properties of the Merkle Damgard construction are the main reason for the insecurity of SHA-1. – Prachi Aug 08 '13 at 03:33
  • But at the same time, there is contradictory data on Wikipedia.: 'In February 2005, an attack by Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu was announced.[14] The attacks can find collisions in the full version of SHA-1, requiring fewer than 269 operations. "In particular, our analysis is built upon the original differential attack on SHA-0 [sic], the near collision attack on SHA-0, the multiblock collision techniques, as well as the message modification techniques used in the collision search attack on MD5. Breaking SHA-1 would not be possible without these powerful analytical techniques."' – Prachi Aug 08 '13 at 03:34
  • 2
    Possible dup: http://crypto.stackexchange.com/q/3978/351 – D.W. Aug 08 '13 at 04:25
  • Prachi I think you mean 2^69 operations. If full-round SHA1 collisions could be found in two hundred and sixty-nine operations, there would be trouble. – pg1989 Aug 08 '13 at 06:26
  • Voting to close as the answer of Thomas Pornin includes an example on how length extension attacks work. – Maarten Bodewes Aug 08 '13 at 12:14

0 Answers0