Have there been efforts to prevent length extension attacks of hashing algorithms that are based on the...












1












$begingroup$


Have there ever been some publicized efforts to prevent length extension attacks of hashing algorithms that are based on the Merkle–Damgård construction (MD5, SHA1, SHA2, ...)?










share|improve this question









$endgroup$








  • 1




    $begingroup$
    Double-Hashing and truncation?
    $endgroup$
    – SEJPM
    12 hours ago










  • $begingroup$
    HMAC is the typical construction
    $endgroup$
    – Natanael
    1 hour ago
















1












$begingroup$


Have there ever been some publicized efforts to prevent length extension attacks of hashing algorithms that are based on the Merkle–Damgård construction (MD5, SHA1, SHA2, ...)?










share|improve this question









$endgroup$








  • 1




    $begingroup$
    Double-Hashing and truncation?
    $endgroup$
    – SEJPM
    12 hours ago










  • $begingroup$
    HMAC is the typical construction
    $endgroup$
    – Natanael
    1 hour ago














1












1








1





$begingroup$


Have there ever been some publicized efforts to prevent length extension attacks of hashing algorithms that are based on the Merkle–Damgård construction (MD5, SHA1, SHA2, ...)?










share|improve this question









$endgroup$




Have there ever been some publicized efforts to prevent length extension attacks of hashing algorithms that are based on the Merkle–Damgård construction (MD5, SHA1, SHA2, ...)?







hash merkle-damgaard length-extension






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked 14 hours ago









AleksanderRasAleksanderRas

2,9471935




2,9471935








  • 1




    $begingroup$
    Double-Hashing and truncation?
    $endgroup$
    – SEJPM
    12 hours ago










  • $begingroup$
    HMAC is the typical construction
    $endgroup$
    – Natanael
    1 hour ago














  • 1




    $begingroup$
    Double-Hashing and truncation?
    $endgroup$
    – SEJPM
    12 hours ago










  • $begingroup$
    HMAC is the typical construction
    $endgroup$
    – Natanael
    1 hour ago








1




1




$begingroup$
Double-Hashing and truncation?
$endgroup$
– SEJPM
12 hours ago




$begingroup$
Double-Hashing and truncation?
$endgroup$
– SEJPM
12 hours ago












$begingroup$
HMAC is the typical construction
$endgroup$
– Natanael
1 hour ago




$begingroup$
HMAC is the typical construction
$endgroup$
– Natanael
1 hour ago










2 Answers
2






active

oldest

votes


















4












$begingroup$

Yes. In this paper, Coron and al. showed that a plain MD construction is secure when it's inputs are prefix-free. They actually proved the indifferentiability of the construction. In other words messages need to be encoded in a prefix-free manner.



Quoting the paper:




A prefix-free code over the alphabet ${0, 1}^κ$is an efficiently computable injective function $g: {0, 1}^∗ to ({0, 1}^κ)^∗$such that for all $x neq y$, $g(x)$ is not a
prefix of $g(y)$.




One such encoding is given in the paper




Function g1(m): let $N$ be the message length of $m$ in bits.
write $m$ as $(m1, . . . , m_l)$ where for all $i$, $|m_i| = k$.
and with the last block $m_l$ padded with $10^r$.
let $g1(m) = (langle N rangle, m_1, . . . , m_l)$ where $langle N rangle$ is a $κ$-bit binary encoding of $N$.







share|improve this answer









$endgroup$





















    0












    $begingroup$


    • Fixed output filters like SHA-256d

    • Keyed output filters like HMAC, envelope-MAC, etc.

    • Truncation like SHA-512/256

    • Prefix-free message encoding like length-prefixed

    • Non-MD designs like BLAKE2 with HAIFA, SHA-3 with a sponge






    share|improve this answer









    $endgroup$














      Your Answer





      StackExchange.ifUsing("editor", function () {
      return StackExchange.using("mathjaxEditing", function () {
      StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
      StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
      });
      });
      }, "mathjax-editing");

      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "281"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      noCode: true, onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68502%2fhave-there-been-efforts-to-prevent-length-extension-attacks-of-hashing-algorithm%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      4












      $begingroup$

      Yes. In this paper, Coron and al. showed that a plain MD construction is secure when it's inputs are prefix-free. They actually proved the indifferentiability of the construction. In other words messages need to be encoded in a prefix-free manner.



      Quoting the paper:




      A prefix-free code over the alphabet ${0, 1}^κ$is an efficiently computable injective function $g: {0, 1}^∗ to ({0, 1}^κ)^∗$such that for all $x neq y$, $g(x)$ is not a
      prefix of $g(y)$.




      One such encoding is given in the paper




      Function g1(m): let $N$ be the message length of $m$ in bits.
      write $m$ as $(m1, . . . , m_l)$ where for all $i$, $|m_i| = k$.
      and with the last block $m_l$ padded with $10^r$.
      let $g1(m) = (langle N rangle, m_1, . . . , m_l)$ where $langle N rangle$ is a $κ$-bit binary encoding of $N$.







      share|improve this answer









      $endgroup$


















        4












        $begingroup$

        Yes. In this paper, Coron and al. showed that a plain MD construction is secure when it's inputs are prefix-free. They actually proved the indifferentiability of the construction. In other words messages need to be encoded in a prefix-free manner.



        Quoting the paper:




        A prefix-free code over the alphabet ${0, 1}^κ$is an efficiently computable injective function $g: {0, 1}^∗ to ({0, 1}^κ)^∗$such that for all $x neq y$, $g(x)$ is not a
        prefix of $g(y)$.




        One such encoding is given in the paper




        Function g1(m): let $N$ be the message length of $m$ in bits.
        write $m$ as $(m1, . . . , m_l)$ where for all $i$, $|m_i| = k$.
        and with the last block $m_l$ padded with $10^r$.
        let $g1(m) = (langle N rangle, m_1, . . . , m_l)$ where $langle N rangle$ is a $κ$-bit binary encoding of $N$.







        share|improve this answer









        $endgroup$
















          4












          4








          4





          $begingroup$

          Yes. In this paper, Coron and al. showed that a plain MD construction is secure when it's inputs are prefix-free. They actually proved the indifferentiability of the construction. In other words messages need to be encoded in a prefix-free manner.



          Quoting the paper:




          A prefix-free code over the alphabet ${0, 1}^κ$is an efficiently computable injective function $g: {0, 1}^∗ to ({0, 1}^κ)^∗$such that for all $x neq y$, $g(x)$ is not a
          prefix of $g(y)$.




          One such encoding is given in the paper




          Function g1(m): let $N$ be the message length of $m$ in bits.
          write $m$ as $(m1, . . . , m_l)$ where for all $i$, $|m_i| = k$.
          and with the last block $m_l$ padded with $10^r$.
          let $g1(m) = (langle N rangle, m_1, . . . , m_l)$ where $langle N rangle$ is a $κ$-bit binary encoding of $N$.







          share|improve this answer









          $endgroup$



          Yes. In this paper, Coron and al. showed that a plain MD construction is secure when it's inputs are prefix-free. They actually proved the indifferentiability of the construction. In other words messages need to be encoded in a prefix-free manner.



          Quoting the paper:




          A prefix-free code over the alphabet ${0, 1}^κ$is an efficiently computable injective function $g: {0, 1}^∗ to ({0, 1}^κ)^∗$such that for all $x neq y$, $g(x)$ is not a
          prefix of $g(y)$.




          One such encoding is given in the paper




          Function g1(m): let $N$ be the message length of $m$ in bits.
          write $m$ as $(m1, . . . , m_l)$ where for all $i$, $|m_i| = k$.
          and with the last block $m_l$ padded with $10^r$.
          let $g1(m) = (langle N rangle, m_1, . . . , m_l)$ where $langle N rangle$ is a $κ$-bit binary encoding of $N$.








          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered 11 hours ago









          Marc IlungaMarc Ilunga

          30117




          30117























              0












              $begingroup$


              • Fixed output filters like SHA-256d

              • Keyed output filters like HMAC, envelope-MAC, etc.

              • Truncation like SHA-512/256

              • Prefix-free message encoding like length-prefixed

              • Non-MD designs like BLAKE2 with HAIFA, SHA-3 with a sponge






              share|improve this answer









              $endgroup$


















                0












                $begingroup$


                • Fixed output filters like SHA-256d

                • Keyed output filters like HMAC, envelope-MAC, etc.

                • Truncation like SHA-512/256

                • Prefix-free message encoding like length-prefixed

                • Non-MD designs like BLAKE2 with HAIFA, SHA-3 with a sponge






                share|improve this answer









                $endgroup$
















                  0












                  0








                  0





                  $begingroup$


                  • Fixed output filters like SHA-256d

                  • Keyed output filters like HMAC, envelope-MAC, etc.

                  • Truncation like SHA-512/256

                  • Prefix-free message encoding like length-prefixed

                  • Non-MD designs like BLAKE2 with HAIFA, SHA-3 with a sponge






                  share|improve this answer









                  $endgroup$




                  • Fixed output filters like SHA-256d

                  • Keyed output filters like HMAC, envelope-MAC, etc.

                  • Truncation like SHA-512/256

                  • Prefix-free message encoding like length-prefixed

                  • Non-MD designs like BLAKE2 with HAIFA, SHA-3 with a sponge







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered 47 mins ago









                  Squeamish OssifrageSqueamish Ossifrage

                  22k132100




                  22k132100






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Cryptography Stack Exchange!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      Use MathJax to format equations. MathJax reference.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68502%2fhave-there-been-efforts-to-prevent-length-extension-attacks-of-hashing-algorithm%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      A CLEAN and SIMPLE way to add appendices to Table of Contents and bookmarks

                      Calculate evaluation metrics using cross_val_predict sklearn

                      Insert data from modal to MySQL (multiple modal on website)