it is often said that when using the MD5 algorithm to sign some arbitrary information, the shared secret has to be at the end. Why?
Asked
Active
Viewed 573 times
16
-
2Can you please be more specific instead of saying 'often said'. Can you cite references, and also expand on why the issue is relevant ? – Suresh Venkat Aug 16 '10 at 20:38
-
There's a typo in your question title: can you change "and" to "end"? – Carlos Scheidegger Aug 16 '10 at 21:54
1 Answers
16
See "extension attacks" in the Merkle-Damgard construction. This issue arises in the use of hash functions for message authentication.
In short, putting the secret in the beginning allows the attacker, given a message and its hash, to forge any message which has the given message as a prefix. This is a problem for naive codes but is avoided by well-known codes like HMAC.
randomwalker
- 176
- 2
- 7
-
1From what I understand if you break the input stream and the shared key is the beginning of the stream then the first block will almost always get the same hash and so the shared key can be guessed by the use of rainbow attacks, right? – Alexandru Aug 16 '10 at 20:58