0

During a pentest some time ago, I came across an interesting functionality, and upon research, it appeared that I had partial control over the starting value in an MD5 hash.

With some more digging, the final hash was a result of md5(secret-key:my-value).

After I realised this, I moved on as the implementation didn't seem vulnerable.

Thinking back, is it possible that this is insecure? For example, it might be brute-forceable with a short secret key. I can't really think of anything else - would be grateful for another point of view.

schroeder
  • 129,372
  • 55
  • 299
  • 340
JZ T
  • 1
  • 2
    I think you are just seeing the law of averages at work. For any hash function, with a little brute force (~256 attempts), you can find an input that results in a hash where the first byte is 0. With a little more brute force (~65536 attempts), you can find an input that results in a hash where the first two bytes are 00. etc. But, this does not necessarily imply that the hash function is week (although MD5 is no longer recommended). – mti2935 Feb 04 '22 at 12:53
  • This is so-called secret prefix construction and is vulnerable to length extension attacks We have already dupe on the [cryptography.se] – kelalaka Feb 04 '22 at 15:15
  • Could you elaborate on what you mean by "it appeared that I had partial control over the starting value"? – Anders Feb 04 '22 at 16:21
  • You say you have partial control over the prefix, but then you give an example where you only have control over the suffix. – forest Apr 22 '22 at 00:31

0 Answers0