- From: Adam Langley <agl@google.com>
- Date: Mon, 27 Jan 2014 17:17:38 -0500
- To: Andrew <andrew@nelless.net>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Jan 27, 2014 at 11:50 AM, Andrew <andrew@nelless.net> wrote: > Forgive me if I'm mistaken, but the current hashing solution detailed > in the Subresource Integrity specification seems to be silent on the > the possibility of length extension with Merkle–Damgård type hash > functions like the SHA family. The use-case is that the hash is delivered over a trusted channel and is used to verify a message. Length extension attacks allow one to calculate H(x + extra stuff), given H(x) and without needing to know x. In this case, being able to calculate different hash values doesn't matter because the attacker can't provide the hash. Length extension is a problem when attempting to implement private-key signatures using H(key + message). In this case the attacker doesn't know key, but can calculate a signature (H(key + message + extra stuff)) for a different message. Cheers AGL
Received on Monday, 27 January 2014 22:18:26 UTC