amlweems
key length?
In order to successfully execute a hash length extension attack, the attacker is required to know the length of the secret key. One way to accomplish this is simple brute force. By trying various lengths and examining the response from the oracle (most likely some server), an attacker can determine the length of the key.
After reading the above and reviewing the parameters that hexpand takes, I'm confused. How does hexpand work without a parameter for key length?
After re-reading the example from README, it appears that the l/length parameter value should be original message length + key length (instead of original message length).
From the example: SECRETKEY (length 10) Hey Alice, let's meet at the place tonight. (length 45) ~~So length would be 54 (9+45). But in the example the parameter is "-l 55".~~ So the length is 55.
It appears that the help text for l/length should be changed from
-l --length the length of the original message
to
-l --length the length of the original message plus the length of the secret key
~~And perhaps I am missing something about the example, but it appears to me that it should have -l 54 (instead of -l 55).~~
I see now that the secret key includes the newline at the end, so the length is 55.