Open
Description
Hi, I tried to use your small example in order to create a proof of concept for myself of how an attack would work.
So I made this small script:
import hlextend
import hashlib
def hash(message, secret):
payload = secret + message
hash_object = hashlib.sha1(bytes(payload,"utf-8"))
return hash_object.hexdigest()
message = "hello"
secret = "secret1234"
### First, we create our own hash
print(hash(message, secret))
# 52e98441017043eee154a6d1af98c5e0efab055c
## We then try to make a forged hash, using length extension, where we try to append the word "file"
sha = hlextend.new('sha1')
forged = sha.extend("file", message, 10,'52e98441017043eee154a6d1af98c5e0efab055c')
print(forged)
print(sha.hexdigest())
## and now we check if our forged signature makes is correct:
print(hash(forged,secret))
But this does not work, currently, the last line is 876d8406a52c71321930e99ac44740ccaea3d080, while it should be c60fa7de0860d4048a3bfb36b70299a95e6587c9, as described in your readme
Have I misunderstoof something about how your libary works?
Metadata
Metadata
Assignees
Labels
No labels