Length extension attack

In cryptography and computer security, a length extension attack is a type of attack where an attacker can use Hash(message₁) and the length of message₁ to calculate Hash(message₁ ‖ message₂) for an attacker-controlled message₂, without needing to know the content of message₁. This is problematic when the hash is used as a message authentication code with construction Hash(secret ‖ message), and message and the length of secret is known, because an attacker can include extra information at the end of the message and produce a valid hash without knowing the secret. Algorithms like MD5, SHA-1 and most of SHA-2 that are based on the Merkle–Damgård construction are susceptible to this kind of attack. Truncated versions of SHA-2, including SHA-384 and SHA-512/256 are not susceptible, nor is the SHA-3 algorithm. HMAC also uses a different construction and so is not vulnerable to length extension attacks.