1

I want to process a HMAC* length extension attack for a university task. Therefore I have both, a HMAC* and the corresponding message, provided and want to attach another arbitrary message and recalculate the HMAC without having the key. Regarding our lecture, this is possible and a very common attack scenario.

My problem is rather implementation based: To drive this attack, I need to replace the default SHA256 starting values (h0 to h7) with the existing HMAC* I already have. As I do not have the key, just pushing in the orginal data will not be possible.

Is there any way except reimplementing SHA256 that would allow me to replace these starting values in python3?

Clarification

I have a valid HMAC* h given. Furthermore, there is the a message m that has been used (together with a secret key k) to generate h. (h = SHA256(k || m)).

My task: I need to find a way to derivate another HMAC* h' without knowing k on the basis of m. It turned out, that the new message is m' = m + pad(k||m) + a with a randomly chosen a.

Further clarification

*: With "HMAC" I do not refer to the standard of RFC 2014. HMAC in general "is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key." (Wikipedia.org/HMAC). In this case, the HMAC is calculated as h = SHA256(k || m) where k is the secret key, || is the concatenation and m is the message.

Improve this question
3
  • What HMAC length extension attack would that be? The "raison d'etre" of HMAC is to avoid length extension attacks. Besides that, what makes you think that you need to change the start values to perform a length extension attack? Commented Dec 19, 2020 at 13:51
  • 1
    Generally API's won't provide this kind of functionality, but as always you can always copy the source and change that. Commented Dec 19, 2020 at 13:51
  • I finally got it by porting a C implementation. Other ways might had caused less effort, but going that way I learned how SHA256 works quite well. I will clarify the problem in the question soon. Commented Dec 20, 2020 at 20:17

1 Answer 1

Reset to default
1

First of all, the SHA256 context includes multiple parameters. In this solution, two of these are relevant: The state which somehow represents the "progress" of the SHA256 algorithm. The final state is actually the SHA256 hash sum. And the seconds parameter is the overall message length in bits, that will be set at the end of the padding.

Furthermore, SHA256 always uses padding what means, another sequence of bytes p is implicitly added to the input data before calculating the final hash and depends on the actual input value. So lets say SHA256(x) = mySHA256(x || p(x)) assuming that mySHA256 is not using padding.

When the given HMAC h has been generated using h = SHA256(k || m) = mySHA256(k || m || p) where k was the secret key and m was the message, h represented the final state of the SHA256 context. Additionally, we have an implicit padding p that depends on k || m. Hereby, p is not rather dependend on len(k) and not k itself, what means that we can calculate p without knowing the key but it's length.

As my target will only accept my modified message m' = m + a when I deliver a correct HMAC h' = SHA256(k || m'), I need to focus on that point now. By knowing the original HMAC h, I can set the state of the SHA256 context corresponding to h. As I know the message m as well, and I know that the overall message length in bits is (len(k) + len(m) + len(p)) * 8, my overall message length is just depending on len(k) (not k!) because len(p) only depends on len(k) and len(m). I will iterate through a range of len(k), like 1 - 64. In each iteration step, I can just insert my value for len(k). So it is possible to set the overall message length (the second parameter of my SHA256 context), too.

When iterating through all key lengths, there will be one value that represents the length of the key that has actually been used. In that case, I have a SHA256 context that exactly equals the context of the original calculation. We can now add our arbitrary data a to the hash calculation and create another HMAC h' that does depend on the key k without knowing it. h' = SHA256(k || m || p || a)

But now, we have to ensure that this HMAC h' equal to that one, the target calculates using our message m'. Therefore, we add our padding p to the end of original message m followed by our arbitrary message a. Finally we have m' = m || p || a.

As the target knows the secret key in order to validate the input data, it can easily calculate SHA256(k || m') = SHA256(k || m || p || a)* and oooops! Indeed that is the same hash sum as our HMAC h' that we calculated without knowing the secret key k

Result: We can not add a fully arbitrary message, but a message that is fully arbitrary after the padding. As the padding is mostly filled with Null-Bytes, that can disturb our attack, but that depends on each case. In my case, the Null-Bytes were ignored and I just had one artifact from the overall message length displayed before my inserted message.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

What you call HMAC is possibly a keyed hash, but HMAC is a specific scheme that uses a hash. Therefore, not all keyed hash schemes should be called HMAC. And it is called SHA-256, not SHA256; best keep to standardized names otherwise these kind of misunderstandings keep happening.
Well, I do not agree on all of your points. First of all, HMAC is a "is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key" (en.wikipedia.org, HMAC). So, HMAC is not a specific scheme but RFC 2104 is. Nevertheless I didn't mention that I do not refer to this standard, what was not helpful for a common understanding. Regarding the SHA(-)256 thing: If the missing minus sign causes misunderstandings, I assume the problem is located on the reader's side.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.