Making Merkle–Damgård resistant to length extension attacks

Question

Correct me if I am wrong, but this is my understanding of Merkle–Damgård hashes:

• $n$ is the state/digest size of hash function in bits.
• $k$ is the input block size of the compression function in bits.
• $C(s, x)$ is the compression function, where $s$ is the internal state and $x$ is the message block.
• $x_i$ for $i=1 \ldots t$ is an appropriately padded sequence of $k$-bit blocks.
• $y_0$ is the initialization vector.
• $y_i = C(y_{i-1}, x_i) \oplus y_{i-1}$ for $i=1 \ldots t$.
• The hash output is $y_t$.

If $C(s, m)$ were changed to $C(s, m, p)$, where $p$ is incorporated into the round function of $C$, would using a different value of $p$ during the calculation of $y_t$ thwart length extension attacks?

Answer 1

would using a different value of $p$ during the calculation of $y_t$ thwart length extension attacks?

Yeah, pretty much (assuming, of course, that the method of stirring in $p$ prevents an adversary from finding a $x'_t$ that makes it work).

On the other hand, length extension attacks aren't usually all the useful in practice. For it to be useful, not only does the adversary have to not know the entire hashed message, he also has to be able to add fairly arbitrary octets at the end (which generally include 00 bytes, that often has practical difficulties), and he has to be happy with a hash value that's not the original one (for example, if the original hash value is signed, length extension attacks don't help).

It's enough to show that the straight-forward construction $H(k \| m)$ is not a secure message authentication code (for $H = \text{SHA-1}, \text{SHA-224}, \text{SHA-256}, \text{SHA-512}$); however that's about it.