Home

Length extension attacks: the SHA2 algorithm

Many authentication/authorization implementations rely on signed assertions. JWT, SAML and two popular examples. If the signature is a plain salted hash of the message, then it’s possible to append arbitrary data to the message and generate a new valid signature, without knowing the salt—the so called “Length extension attack”.

Read more