New Video from @Computerphile: Exploring SHA-256 and Length Extension Attacks

In this video, the presenter discusses an implementation of the SHA-256 hashing algorithm and a technique known as a "length extension attack." The primary goal is to demonstrate how an attacker can exploit this vulnerability to modify a banking transaction without knowing the secret key used to authenticate the transaction.

The presenter begins by explaining that he modified a standard implementation of SHA-256 in Java to include a hash continuation function. This function allows the hashing process to resume from a certain point, using the current hash and the length of the existing message. This modification is crucial for the length extension attack, as it enables the attacker to extend the message and recalculate the hash without knowing the secret key.

To illustrate this attack, the presenter uses an example of a banking transaction between two fictional banks, A and B. Bank A creates a transaction, hashes it with its secret key, and sends the message and hash to Bank B. Bank B then verifies the transaction by recalculating the hash and comparing it to the one received. If the hashes match, the transaction is authenticated.

The attacker intervenes by intercepting the message and hash sent by Bank A. Using the hash continuation function, the attacker can extend the original message with a new segment of data (the attack) and recalculate the corresponding hash. This new hash will be valid because it accounts for the original message and the extension added by the attacker.

The presenter then explains the technical steps of the attack. He shows how to add the necessary padding to the original message to simulate the behavior of the SHA-256 algorithm. He then creates a new segment of data (the attack) and concatenates it with the original message and padding. Finally, he uses the hash continuation function to calculate the new hash, which will be valid for the extended message.

The attack is tested by modifying the amount of the banking transaction. The presenter demonstrates that Bank B accepts the modified transaction as valid, even though the amount has been significantly increased. This highlights the power of the length extension attack and the vulnerability of systems that use message authentication codes based on SHA-256 without additional protections.

In conclusion, the presenter emphasizes that this attack is possible due to the way SHA-256 handles messages and padding. To avoid this type of vulnerability, it is recommended to use more robust authentication methods, such as HMAC or digital signatures based on RSA or DSA. This video provides a fascinating insight into potential flaws in security systems and the importance of understanding the underlying mechanisms to protect them effectively.