Score:0

Crypto

Are RSA-SHA256 signatures prone to length extension attacks?

vdavid

7/21/23, 11:17 AM

I need to sign a message using a private key and verify the message with a public key, while making sure the message hasn’t been tampered.

I know that SHA-256 itself is prone to length-extension attacks.

I also know that things like HMAC have been specifically designed to circumvent such attacks.

But what if I sign a message with RSA and SHA-256? Are they safe?

Do I need to sign the RSA/SHA3 to be protected? Or maybe truncated versions of SHA2 (namely SHA-384 and SHA-512/256) which are allegedly not susceptible to length-extension attacks?

Would HMAC be a better approach to this problem?

I’m considering using RSA which is probably the most famous among asymmetric cryptography. Feel free to point me to something else if there’s a better option. I need something supported by OpenSSL and the Node.js crypto module (which, as far as I know, is also based on OpenSSL).

PS. I’m a bit new to the crypto community, so I hope my words make sense.

-- addendum--

Here is my concern about RSA-SHA256.

Let’s say the message is $M$ and its hash is $SHA256(M)$.

An attacker can use them to compute $M||X$ and $SHA256(M||X)$, even without knowing the private key. In this case, the recipient of $M||X$ and its signature $SHA256(M||X)$ shall believe that the message is valid because the message and its signature do match.

At least that’s what happens if RSA_sign simply uses the raw hash. If RSA passes the hash through a HMAC-like technique or any algorithm that prevents the attacker from forging a signature, I guess we’re safe.

0 + 0

rsa

signature

sha-256

length-extension

sha-3

kelalaka

7/21/23, 12:28 PM

A possible dupe of: [How can Hashed Value be same in length extension attack?](https://crypto.stackexchange.com/q/87696/18298)

AleksanderCH

7/21/23, 2:08 PM

Does this answer your question? [Is HMAC needed for a SHA-3 based MAC?](https://crypto.stackexchange.com/questions/17735/is-hmac-needed-for-a-sha-3-based-mac)

vdavid

7/21/23, 2:26 PM

@AleksanderCH thanks for the link. It partially answers the question. It shows that a SHA3-based MAC would be safe without a HMAC, which was one of my assumptions. But it doesn’t tell if RSA-SHA256 sign/verify is safe, which is my main question.

kelalaka

7/21/23, 8:34 PM

Does this answer your question? [How can Hashed Value be same in length extension attack?](https://crypto.stackexchange.com/questions/87696/how-can-hashed-value-be-same-in-length-extension-attack)

vdavid

7/22/23, 9:52 AM

@kelalaka that’s an interesting read about how length-extension attacks work, but it doesn’t tell if RSA-SHA256 is susceptible to them.

Score:5

Crypto

poncho

7/21/23, 11:26 AM

But what if I sign a message with RSA and SHA-256? Are they safe?

Length extension attacks are not a concern.

Here is what a length extension attack allows you do to: if you are given the hash $\text{SHA256}(M)$, but you don't know the original message $M$ (but you do know its length), then you can compute the value of the hash $\text{SHA256}(M || X)$ (where $||$ is bitstring concatenation, and for some values of the string $X$); the value of this hash will be different than the original hash.

So, why isn't this a concern:

When you have a signature of a known message $M$, you obviously know $M$; you can (should you want) compute $\text{SHA256}(M || X)$ for any string $X$ you want; you don't need a "length extension attack"
RSA signs the value $\text{SHA256}(M)$; the value $\text{SHA256}(M || X)$ will be different, and so if you replace $M$ with $M || X$, the signature will not verify

0 + 0

vdavid

7/21/23, 12:59 PM

My concern is, the attacker knows `M` and `SHA256(M)`, so he may compute `M||X` and `SHA256(M||X)` (even without knowing the private key). In this case, the recipient of `M||X` and its signature `SHA256(M||X)` will not know that the message was tampered because the altered message and its signature will match. Well, at least that’s what happens if RSA_sign simply uses the raw hash. If RSA passes the hash through a HMAC-like technique, I guess we’re safe.

poncho

7/21/23, 1:14 PM

@vdavid: "so he may compute `M||X` and `SHA256(M||X)` (even without knowing the private key)." - how is that different from (say) SHA3? With SHA3, if he knows $M$ and selects $X$, he can compute `SHA3(M||X)`. If you're thinking that `SHA256(M||X)` will be the same value as `SHA256(M)`, well no, that's not how it works.

fgrieu

7/21/23, 1:56 PM

@vdavid: Your _"the recipient of `M||X` and its signature `SHA256(M||X)`…"_ is in error. `SHA256(M||X)` is not the signature of `M||X`. It's an intermediary step in computing a signature of `M||X`, as a function of `SHA256(M||X)`, private key, optional randomness. Among the three inputs of this function, only the private key is secret. Thus it is not an issue that `SHA256(M||X)` is easy to compute; it's a functional requirement.

vdavid

7/21/23, 2:17 PM

@poncho SHA3 is theoretically better because, unlike SHA-256, I think we *cannot* use `M` and `SHA3(M)` to forge a `SHA3(M||X)`

vdavid

7/21/23, 2:19 PM

@fgrieu OK if the hash is an intermediate step, I guess the signature cannot be tampered

fgrieu

7/21/23, 2:25 PM

@vdavid: you are correct that SHA3, unlike SHA-256, has no length-extension property. However you are incorrect in what that prevents. It prevents computing `SHA3(M||X)` from `SHA3(M)` _unless_ one has complete knowledge of `M` (in the case of SHA-256, one further needs to restrict to some `X` with precisely the right start, dependent on the length of `M`). With knowledge of `M`and `X` one can compute `SHA3(M||X)`, for any `M` and `X`. Note: the Right Thing will be to accept poncho's answer by clicking on the tick.

vdavid

7/21/23, 2:30 PM

@fgrieu You’re right. And because `M` is not secret in my case, I believe this property doesn’t give SHA3 a significant advantage over SHA-256 (at least, not from a length-extension point of view).

kelalaka

7/21/23, 8:34 PM

Actually it should be $\text{SHA256}(M || padding_1|| X)$ since the original hash has a padded and during extension SHA-256 calculates another padding.

poncho

7/21/23, 8:39 PM

@kelalaka: actually, I had included $padding_1$ in the $X$ - that's why I said it was for 'some X' - I didn't think the details of the length-extension attack was actually relevant - he's not attempting to perform the attack, instead, he is asking about the implications.

kelalaka

7/21/23, 8:44 PM

$M$ is the message that is free for all to verify the signature with it, Imho, this detail is still important.

vdavid

8/4/23, 12:32 PM

@kelalaka I’d say the padding matters if the wrong padding makes RSA vulnerable to forge a valid signature for a tampered message. Is it something I should be concerned with?

poncho

8/4/23, 12:40 PM

@vdavid: *padding* is being used in two different senses; one is some padding done as a part of the SHA256 computation (which is a detail that you don't need to be concerned with, unless you're implementing SHA256). The other is padding done after the hash and just before the raw RSA computation - that is important (getting it wrong would allow someone to generate forgeries), however it has nothing to do with length-extension attacks.

vdavid

8/4/23, 12:59 PM

@poncho what kind of other forgeries could happen if I use the wrong padding? Is there a recommended padding? I’ve yet to choose one among PKCS (or any other that would be better for RSA).

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Are RSA-SHA256 signatures prone to length extension attacks?

TH: ลายเซ็น RSA-SHA256 มีแนวโน้มที่จะถูกโจมตีด้วยส่วนขยายความยาวหรือไม่

RO: Sunt semnăturile RSA-SHA256 predispuse la atacuri de extensie de lungime?

RU: Подвержены ли подписи RSA-SHA256 атакам с расширением длины?

VI: Chữ ký RSA-SHA256 có dễ bị tấn công mở rộng không?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.