Re: Subresource Integrity Length Extension?

On Mon, Jan 27, 2014 at 11:50 AM, Andrew <> wrote:
> Forgive me if I'm mistaken, but the current hashing solution detailed
> in the Subresource Integrity specification seems to be silent on the
> the possibility of length extension with Merkle–Damgård type hash
> functions like the SHA family.

The use-case is that the hash is delivered over a trusted channel and
is used to verify a message. Length extension attacks allow one to
calculate H(x + extra stuff), given H(x) and without needing to know
x. In this case, being able to calculate different hash values doesn't
matter because the attacker can't provide the hash.

Length extension is a problem when attempting to implement private-key
signatures using H(key + message). In this case the attacker doesn't
know key, but can calculate a signature (H(key + message + extra
stuff)) for a different message.



Received on Monday, 27 January 2014 22:18:26 UTC