Re: Avoiding extension attack

Hi Jean,

> Arer you aware that modern hashs use the length to help avoid this?

If you mean the Merkle-Damgaard strenghtening, it can't stop the
extension attack. The adversary calculate the hash of M || L || M' ||
L'
knowing only the hash of M || L (L and L' are the length of M and M' ).
This is why MAC(K, M) = SHA(K || M) is insecure.

> Perhaps you took this in to account, can you please explain all your
> symbols?

What symbol you didn't understand ?
Received on Tue Feb 7 21:00:14 2006