search

skerkour / kerkour.com

(Ab)using technology for fun & profit. Programming, Hacking & Entrepreneurship @ https://kerkour.com
https://kerkour.com
Apache License 2.0
461 stars 63 forks source link

sha256-length-extension-attack: Correct the padding calculation #91

Closed magodo closed 4 months ago

magodo commented 7 months ago

I've been reading about the sha256 length extension attack in a book, and going to try this out in Go yesterday. Then I found your article https://kerkour.com/sha256-length-extension-attacks, which is really helpful, and indeed the way how I was doing, thank you for writing this!

While reading your blog, I've noticed that the padding calculation (and the loading for the d.len) doesn't exactly matches the RFC's equation. E.g. given:

    legitimateData := []byte(strings.Repeat("a", 63-len(secretKey)))

Your demo code will panic.

Instead of re-building the wheel, we can reuse the padding logic been implemented in the sha256.go (as is done in this PR). With this, the above input can still work as expected.

sylvain101010 commented 7 months ago

Hey @magodo good catch, thank you very much!

I'm not sure I will merge this PR (for copyright reasons, I want to maintain full ownership of the code in my repos...), so I will keep it open the time to decide, but will fix the blog post nonetheless.

magodo commented 7 months ago

Feel free to close my pr and apply the changes to the blog&code accordingly :)

sylvain101010 commented 4 months ago

Thank you :)