top | item 35965466

(no title)

hoppla | 2 years ago

Looked at a 6 byte hash today. Modifying the hash or the data attached to it made the API respond with an error saying untrusted input. The data is an encrypted blob and the hash protects it from being tampered with.

My guess is that it’s a truncated md5(secret + data) or hmac. Either way, with a sufficient long a secret, I won’t be able to guess it (offline), and because of the truncation, length extensions also out of the question.

With only 48 bits of entropy, I can’t shake the feeling that there are practical attacks I have not considered.

discuss

No comments yet.