HL101

MD5, SHA-1, RIPEMD-160, Whirlpool and the SHA-256 / SHA-512 hash algorithms all vulnerable to length-extension attacks and should not be used for obfuscating or protecting data without HMAC.

Examples

The following examples would raise a warning:

import hashlib
hashlib.new('sha256')

import hashlib
hashlib.whirlpool()

Fix

Use another hashing algorithm, e.g. blake2

See Also

• About Length Extension Attacks