MD5 Length Extension Attack    Posted:


I found this great explanation of a length extension attack here by Skullsecurity and decided to implement my own proof-of-concept in Python for MD5. Turns out it was quite simple.

Tl;dr; I should be able to spoof hash signatures in the cases where H(secret + data) is used for verification.

I found an alternative MD5 implementation which let me edit the initilization vectors. The one provided by python is a C module. Using the alternative one, and the great explanation provided by Skull, I wrote the folowing script.

length-extension.py

 1 import md5py
 2 import struct
 3 
 4 def hexdump(s):
 5         for b in xrange(0, len(s), 16):
 6                 lin = [c for c in s[b : b + 16]]
 7                 #~ if sum([ord(l) for l in lin]) == 0:
 8                         #~ continue
 9                 hxdat = ' '.join('%02X' % ord(c) for c in lin)
10                 pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)
11                 print('  %04x: %-48s %s' % (b, hxdat, pdat))
12         print
13 
14 secret = b"secret"
15 original = b"data"
16 append = b"append"
17 
18 def pad(s):
19         padlen = 64 - ((len(s) + 8) % 64)
20         bit_len = 8*len(s)
21         if(padlen < 64):
22                 s += '\x80' + '\000' * (padlen - 1)
23         return s + struct.pack('<q', bit_len)
24 
25 val = md5py.new(secret+original)
26 print "Original payload:", val.hexdigest()
27 
28 payload = pad(secret+original)+append
29 hexdump(payload)
30 
31 legit = md5py.new(payload)
32 print "Legit digest:", legit.hexdigest()
33 
34 not_legit = md5py.new("A"*64)
35 not_legit.A, not_legit.B, not_legit.C, not_legit.D = md5py._bytelist2long(val.digest())
36 not_legit.update(append)
37 print "Illicit digest:", not_legit.hexdigest()
38 
39 if legit.hexdigest() == not_legit.hexdigest():
40         print "Success!"
41 else:
42         print "Fail!"

An example run:

tethik@capncrunch:~/code/python/learningcrypto/md5$ python length-extension.py
Original payload: 6036708eba0d11f6ef52ad44e8b74d5b
  0000: 73 65 63 72 65 74 64 61 74 61 80 00 00 00 00 00  secretdata......
  0010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0030: 00 00 00 00 00 00 00 00 50 00 00 00 00 00 00 00  ........P.......
  0040: 61 70 70 65 6E 64                                append

Legit digest: 6ee582a1669ce442f3719c47430dadee
Illicit digest: 6ee582a1669ce442f3719c47430dadee
Success!