Hacker News new | ask | show | jobs
by rakoo 4350 days ago 

  key_data = hashlib.sha256()
  key_data.update( base_phrase + ' - ' + door_id )
Congratulations, your program is vulnerable to length-extension attack [0].

What you want is something secret determining the output of something public... so instead of reinventing the wheel (the number 1 source of issues in crypto), use the standard, ie HMAC [1].

Now for the rest of the algorithm, IANAC, but truncating sounds like a bad idea.

[0] https://en.wikipedia.org/wiki/Length_extension_attack

[1] https://en.wikipedia.org/wiki/HMAC
3 comments
etep 4349 days ago
> The password quality is just adequate, but I think the idea has potential to be very secure.

The op makes no broad claims. I think your insights are helpful, but I would change your wording from "Congratulations" to "unfortunately" and then politely point out how to resolve the issue.

link
hackcasual 4349 days ago
There is no issue. Length extension requires the full (or as close to full as to make no difference) output of the hash function.

The problem with hash functions like SHA1,2 and MD5 is that their output represents their entire internal state.

In this case let's say an attacker recovered the password for door 1. They can then compute what the passwords associated with Door's whose number starts with 1.

As the password is substantially truncated, this does not represent the final state of the hash, and the attack is not useful.

That aside, this still suffers from weak key derivation, allowing a more direct bruteforce attack, as others have mentioned.

link
gcommer 4349 days ago
I agree that HMAC is the better option, but I don't see any reasonable scenario where length-extension is actually relevant for this application.

Also, I think that truncating actually improves security: An attacker who knows n (door_id, password) pairs and is bruteforcing the base_phrase can only check each base_phrase candidate for the first m bytes. This increases the odds of a 'false collision' in the brute forcing; that is, they find a different base_phrase which happens to work for their (door_id, password) pairs, but won't work for door_ids which they don't know.

link
hackcasual 4349 days ago
Truncation prevents the length extension attack.
link