W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: Subresource Integrity Length Extension?

From: Adam Langley <agl@google.com>
Date: Mon, 27 Jan 2014 17:17:38 -0500
Message-ID: <CAL9PXLzGXt3DhxGPaj5+kY3gwWPdopYTY-jEpTSudx2qPMnyQg@mail.gmail.com>
To: Andrew <andrew@nelless.net>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Jan 27, 2014 at 11:50 AM, Andrew <andrew@nelless.net> wrote:
> Forgive me if I'm mistaken, but the current hashing solution detailed
> in the Subresource Integrity specification seems to be silent on the
> the possibility of length extension with Merkle–Damgård type hash
> functions like the SHA family.

The use-case is that the hash is delivered over a trusted channel and
is used to verify a message. Length extension attacks allow one to
calculate H(x + extra stuff), given H(x) and without needing to know
x. In this case, being able to calculate different hash values doesn't
matter because the attacker can't provide the hash.

Length extension is a problem when attempting to implement private-key
signatures using H(key + message). In this case the attacker doesn't
know key, but can calculate a signature (H(key + message + extra
stuff)) for a different message.


Cheers

AGL
Received on Monday, 27 January 2014 22:18:26 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC