No description, website, or topics provided.
Java
Switch branches/tags
Nothing to show
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
lib
src
.gitignore
README

README

Allows you to test hashextension (extending an existing hash).

This is meant to prove that signatures on the form Hash(secret + data to sign) are vulnerable.

Most notably this was a problem for Flickr a while back because they used
MD5(API_KEY + parameters)

You need bouncycastle to use this
Tested with bcprov-jdk16-146.jar

For a thorough explanation see:
http://rdist.root.org/2009/10/29/stop-using-unsafe-keyed-hashes-use-hmac/

Oh, and don't use hash(secret + data). Use HMAC instead.



Testing it with TestSignature:
------------------------------
Initial run:
java -cp ..\lib\bcprov-jdk16-146.jar;. TestSignature
Running with given signed value:
java -cp ..\lib\bcprov-jdk16-146.jar;. TestSignature id=1 36beedfbdfeff01a77b65173c343c0b3
Extending the hash (notice the missing = character in the last parameter):
java -cp ..\lib\bcprov-jdk16-146.jar;. ExtendMD5 36beedfbdfeff01a77b65173c343c0b3 11 id2
Running the extended hash (garbling the name of the first parameter, adding the padding, and adding a new id=2 at the end):
java -cp ..\lib\bcprov-jdk16-146.jar;. TestSignature "i=d1%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%58%00%00%00%00%00%00%00&id=2" 0b6d44409e9d5be9257dbd531ef583ca