SHA-256 — Length Extension Attack on API Auth

In 2012, LinkedIn's password database was breached — 117 million passwords stored as unsalted SHA-1 hashes. Within days, 90% were cracked using rainbow tables. In 2013, Adobe lost 153 million passwords — stored with a symmetric cipher that was essentially a homebrew hash. In 2009, the RockYou breach exposed 32 million passwords stored in plaintext. Every one of these breaches was made catastrophic by engineers who didn't understand what cryptographic hash functions guarantee and — more importantly — what they don't.

SHA-256 produces a 256-bit digest for any input. It is deterministic (same input always produces same output), fast to compute (~500 MB/s on modern CPUs), and as of 2026, has no known practical attacks. It underpins HTTPS certificates, Bitcoin's proof-of-work, code signing, Git's object addressing, and TLS handshake integrity. But knowing that SHA-256 is 'secure' is table stakes. The senior engineer understands the specific properties it provides, which ones it doesn't provide (it is NOT a password hashing function), exactly where in the stack it belongs, and why length extension attacks mean you can't use raw SHA-256 as a message authentication code.

I've spent years working with cryptographic systems — first at a defence contractor where we implemented SHA-256 in FIPS 140-2 validated modules, later at a fintech where SHA-256 was everywhere: in our TLS termination layer, in our JWT signing pipeline, in our audit log integrity chain, and in our database encryption key derivation. The mistakes I've seen in code reviews and production systems are consistent: engineers reach for SHA-256 when they should use bcrypt for passwords, use raw SHA-256 when they should use HMAC-SHA256 for authentication, and don't understand why the birthday paradox means collision resistance is 128 bits, not 256.

This article walks through SHA-256 from first principles — the Merkle-Damgård construction, the 64-round compression function, the message schedule with its bitwise operations, and the specific security properties each component provides. You'll understand the internal mechanics well enough to explain them in an interview, and the practical guidance to avoid the production mistakes I've seen cost companies their users' trust.

By the end, you'll know when SHA-256 is the right tool, when it isn't (passwords, key derivation without KDF), how it compares to SHA-3 and BLAKE3, and how it fits into the broader cryptographic stack alongside HMAC, digital signatures, and key derivation functions.

Properties of Cryptographic Hash Functions

A cryptographic hash function is a one-way function with specific mathematical guarantees. Not all hashes are cryptographic — CRC32, Adler-32, and FNV are designed for speed and error-detection, not security. Using a non-cryptographic hash where a cryptographic one is needed is a class of vulnerability called 'hash confusion.' I've seen this in production: a developer used Python's built-in hash() function (which is randomized SipHash, not cryptographic) for session token generation. It worked fine until the server restarted and all sessions invalidated because the random seed changed.

The guarantees you need to know cold:

Pre-image resistance (one-wayness): Given h, it is computationally infeasible to find any message m where H(m) = h. This is the property that makes password verification work — store H(password), verify by hashing the input and comparing. You never need to reverse it. If pre-image resistance breaks, an attacker who steals your hash database can recover all passwords. For SHA-256, the best known pre-image attack requires 2^256 operations — thermodynamically impossible (would require more energy than exists in the observable universe).

Second pre-image resistance: Given a specific message m1, it is computationally infeasible to find a different message m2 ≠ m1 where H(m1) = H(m2). This protects code signing — an attacker can't create a malware binary with the same SHA-256 hash as a legitimate signed binary. Note the difference from collision resistance: here the attacker is given m1 and must find m2. In collision resistance, the attacker chooses both.

Collision resistance: It is computationally infeasible to find ANY two distinct messages m1, m2 where H(m1) = H(m2). By the birthday paradox, the expected number of attempts to find a collision is 2^(n/2) where n is the hash length. For SHA-256, that's 2^128 — still astronomically large. Note: collision resistance implies second pre-image resistance, but not vice versa. This is the property that broke MD5 (2004, Wang et al.) and SHA-1 (2017, SHAttered) — collision attacks were found before pre-image attacks.

Determinism: The same input always produces the same output. This seems obvious, but it's critical — it's what makes hash-based integrity checks reliable. Non-deterministic hashes (like Python's hash()) are useless for cryptographic purposes.

Avalanche effect: Flip one bit in the input, and approximately half the output bits change. SHA-256('Hello') and SHA-256('hello') share zero structural similarity in their outputs. This property ensures that similar passwords produce completely different hashes — no information leaks about input similarity from the hash output.

Pre-image resistance vs collision resistance — know the difference for interviews: Pre-image resistance is about inverting a specific hash (given h, find m). Collision resistance is about finding any two inputs that hash to the same value (find m1, m2). Collision resistance is weaker — the birthday bound means you only need 2^(n/2) attempts instead of 2^n. This is why SHA-256 provides 128-bit collision resistance and 256-bit pre-image resistance.

SHA-256 Internals — Merkle-Damgård Construction and the Compression Function

Most SHA-256 explanations stop at 'it's a hash function.' That's not enough for interviews or for understanding why SHA-256 has specific vulnerabilities (like length extension). Here's how it actually works.

SHA-256 uses the Merkle-Damgård construction: a framework that turns a compression function (which operates on fixed-size blocks) into a hash function that handles arbitrary-length input. The construction has three stages:

Stage 1 — Padding: The input message is padded to a multiple of 512 bits. Padding consists of: a single '1' bit, followed by enough '0' bits, followed by a 64-bit big-endian integer representing the original message length in bits. This ensures the padding is unambiguous and binds the hash to the message length (preventing trivial collisions from different-length messages).

Stage 2 — Block processing: The padded message is split into 512-bit blocks. Each block is processed sequentially by the compression function. The output of processing block i becomes the input chaining value for block i+1. The initial chaining value (IV) is fixed — it's the first 32 bits of the fractional parts of the square roots of the first 8 primes.

Stage 3 — Compression function (64 rounds): This is the core. For each 512-bit block: - Expand the 16 input words (32 bits each) into 64 words using the message schedule: W[t] = σ₁(W[t-2]) + W[t-7] + σ₀(W[t-15]) + W[t-16], where σ₀ and σ₁ are bitwise rotation/XOR functions. - Initialize 8 working variables (a through h) from the chaining value. - Run 64 rounds. Each round: compute T₁ = h + Σ₁(e) + Ch(e,f,g) + K[t] + W[t], T₂ = Σ₀(a) + Maj(a,b,c). Then shift variables: h=g, g=f, f=e, e=d+T₁, d=c, c=b, b=a, a=T₁+T₂. - Add the result back to the chaining value.

The round constants K[t] are the first 32 bits of the fractional parts of the cube roots of the first 64 primes. The initial IV uses square roots; the round constants use cube roots. This deliberate choice of 'nothing-up-my-sleeve' numbers makes it harder to hide a backdoor in the constants.

Why this matters: The Merkle-Damgård construction is what enables the length extension attack. Because each block's output feeds into the next block's input, an attacker who knows H(m) and the length of m can compute H(m || padding || extension) without knowing m. This is why raw SHA-256 can't be used as a MAC — you need HMAC, which wraps the hash in two nested keyed operations to break the Merkle-Damgård chain.

# io.thecodeforge.crypto.hash.SHA256Internals

import struct
import hashlib


class SHA256Educational:
    """Educational implementation of SHA-256 showing every step.

    DO NOT use this in production — it's ~1000x slower than hashlib
    and has not been validated. Use it to understand the algorithm.
    """

    # Initial hash values: first 32 bits of fractional parts of
    # square roots of first 8 primes (2, 3, 5, 7, 11, 13, 17, 19)
    H_INIT = [\\\\n        0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,\\\\n        0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19\\\\n    ]

    # Round constants: first 32 bits of fractional parts of
    # cube roots of first 64 primes
    K = [
        0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
        0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
        0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
        0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
        0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
        0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
        0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
        0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
        0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
        0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
        0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
        0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
        0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
        0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
        0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
        0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
    ]

    @staticmethod
    def _rotr(n, b):
        """Rotate right: circular right shift of n by b bits."""
        return ((n >> b) | (n << (32 - b))) & 0xFFFFFFFF

    @staticmethod
    def _shr(n, b):
        """Shift right: logical right shift."""
        return n >> b

    @staticmethod
    def _ch(x, y, z):
        """Choice: for each bit position, choose y if x is set, else z."""
        return (x & y) ^ (~x & z)

    @staticmethod
    def _maj(x, y, z):
        """Majority: for each bit position, output the majority bit of x, y, z."""
        return (x & y) ^ (x & z) ^ (y & z)

    @staticmethod
    def _sigma0(x):
        """Σ₀: used in the message schedule."""
        return SHA256Educational._rotr(x, 2) ^ SHA256Educational._rotr(x, 13) ^ SHA256Educational._rotr(x, 22)

    @staticmethod
    def _sigma1(x):
        """Σ₁: used in the message schedule."""
        return SHA256Educational._rotr(x, 6) ^ SHA256Educational._rotr(x, 11) ^ SHA256Educational._rotr(x, 25)

    @staticmethod
    def _gamma0(x):
        """σ₀: used in the message schedule expansion."""
        return SHA256Educational._rotr(x, 7) ^ SHA256Educational._rotr(x, 18) ^ SHA256Educational._shr(x, 3)

    @staticmethod
    def _gamma1(x):
        """σ₁: used in the message schedule expansion."""
        return SHA256Educational._rotr(x, 17) ^ SHA256Educational._rotr(x, 19) ^ SHA256Educational._shr(x, 10)

    @staticmethod
    def _pad_message(message: bytes) -> bytes:
        """Apply SHA-256 padding: append '1' bit, zeros, and 64-bit length."""
        msg_len_bits = len(message) * 8
        # Append bit '1' (0x80 byte)
        message += b'\x80'
        # Pad with zeros until length ≡ 448 (mod 512) bits
        while (len(message) * 8) % 512 != 448:
            message += b'\x00'
        # Append original length as 64-bit big-endian
        message += struct.pack('>Q', msg_len_bits)
        return message

    @classmethod
    def hash(cls, message: bytes) -> str:
        """Compute SHA-256 hash of a message (educational implementation)."""
        # Step 1: Pad the message
        padded = cls._pad_message(message)

        # Step 2: Initialize hash values
        h = list(cls.H_INIT)

        # Step 3: Process each 512-bit (64-byte) block
        for block_start in range(0, len(padded), 64):
            block = padded[block_start:block_start + 64]

            # Prepare message schedule W[0..63]
            W = [0] * 64
            # First 16 words are the block itself
            for i in range(16):
                W[i] = struct.unpack('>I', block[i*4:(i+1)*4])[0]
            # Remaining 48 words from the schedule
            for i in range(16, 64):
                s0 = cls._gamma0(W[i-15])
                s1 = cls._gamma1(W[i-2])
                W[i] = (W[i-16] + s0 + W[i-7] + s1) & 0xFFFFFFFF

            # Initialize working variables
            a, b, c, d, e, f, g, h_var = h

            # 64 rounds of compression
            for t in range(64):
                T1 = (h_var + cls._sigma1(e) + cls._ch(e, f, g) +
                       cls.K[t] + W[t]) & 0xFFFFFFFF
                T2 = (cls._sigma0(a) + cls._maj(a, b, c)) & 0xFFFFFFFF
                h_var = g
                g = f
                f = e
                e = (d + T1) & 0xFFFFFFFF
                d = c
                c = b
                b = a
                a = (T1 + T2) & 0xFFFFFFFF

            # Add compressed chunk to current hash value
            h[0] = (h[0] + a) & 0xFFFFFFFF
            h[1] = (h[1] + b) & 0xFFFFFFFF
            h[2] = (h[2] + c) & 0xFFFFFFFF
            h[3] = (h[3] + d) & 0xFFFFFFFF
            h[4] = (h[4] + e) & 0xFFFFFFFF
            h[5] = (h[5] + f) & 0xFFFFFFFF
            h[6] = (h[6] + g) & 0xFFFFFFFF
            h[7] = (h[7] + h_var) & 0xFFFFFFFF

        # Produce the final hash value (concatenation of h[0]..h[7])
        return ''.join(f'{val:08x}' for val in h)


# --- Verify our implementation matches hashlib ---
test_messages = [
    b'',
    b'abc',
    b'The quick brown fox jumps over the lazy dog',
    b'Hello, TheCodeForge!',
]

print("Verifying educational SHA-256 against hashlib:")
print(f"  {'Message':<45} {'Match':<6} {'Hash (first 16 chars)'}")
print(f"  {'-'*45} {'-'*6} {'-'*16}")

for msg in test_messages:
    edu_hash = SHA256Educational.hash(msg)
    lib_hash = hashlib.sha256(msg).hexdigest()
    match = edu_hash == lib_hash
    display = repr(msg.decode() if msg else '(empty)')[:40]
    print(f"  {display:<45} {'✓' if match else '✗':<6} {edu_hash[:16]}")

# --- Show the padding step ---
print("\n--- Padding demonstration ---")
for msg in [b'abc', b'hello']:
    padded = SHA256Educational._pad_message(msg)
    print(f"  Original: {msg!r} ({len(msg)*8} bits)")
    print(f"  Padded:   {len(padded)} bytes ({len(padded)*8} bits)")
    print(f"  Last 8 bytes (length field): {padded[-8:].hex()}")
    print(f"  Length in bits: {struct.unpack('>Q', padded[-8:])[0]}")
    print()

# --- Show first few round constants and their origin ---
print("--- Round constants (first 8 of 64) ---")
primes = [2, 3, 5, 7, 11, 13, 17, 19,
          23, 29, 31, 37, 41, 43, 47, 53,
          59, 61, 67, 71, 73, 79, 83, 89,
          97, 101, 103, 107, 109, 113, 127, 131,
          137, 139, 149, 151, 157, 163, 167, 173,
          179, 181, 191, 193, 197, 199, 211, 223,
          227, 229, 233, 239, 241, 251, 257, 263,
          269, 271, 277, 281, 283, 293, 307, 311]
print(f"  {'t':<4} {'Prime':<6} {'∛prime frac':<15} {'K[t] (hex)':<12} {'Match'}")
for t in range(8):
    cube_root_frac = primes[t] ** (1.0/3.0) % 1
    expected = int(cube_root_frac * (2**32))
    match = expected == SHA256Educational.K[t]
    print(f"  {t:<4} {primes[t]:<6} {cube_root_frac:<15.10f} 0x{SHA256Educational.K[t]:08x}  {'✓' if match else '✗'}")

Using SHA-256 in Python — Practical Patterns

Here are the production patterns you'll actually use. Every one of these has appeared in systems I've built or audited.

Pattern 1: File integrity verification. Download a Linux ISO, verify its SHA-256 hash against the published value. If they match, the file wasn't corrupted or tampered with during download.

Pattern 2: Content-addressable storage. Git uses SHA-1 (migrating to SHA-256) to address every object by its content hash. If the content changes, the address changes. This makes the repository tamper-evident.

Pattern 3: HMAC-SHA256 for API authentication. Compute HMAC-SHA256(secret_key, message) to authenticate API requests. The recipient computes the same HMAC with the shared secret and compares. Unlike raw SHA-256(secret || message), HMAC is immune to length extension attacks.

Pattern 4: Deterministic unique IDs. Generate a deterministic ID from input data using SHA-256. Useful for deduplication, idempotency keys, and cache invalidation. The same input always produces the same ID.

Pattern 5: Commitment schemes. Publish SHA-256(prediction) before an event, reveal the prediction after. The hash commits you to the prediction without revealing it — you can't change your answer after seeing the outcome.

# io.thecodeforge.crypto.hash.SHA256Usage

import hashlib
import hmac
import os
import json
import time
from typing import Optional


# ============================================================
# PATTERN 1: File integrity verification
# ============================================================
def file_sha256(filepath: str

SHA-256 for Passwords — Why Fast Hashes Are Dangerous

This is where most engineers have the wrong mental model, and it costs their users real security.

SHA-256 is fast — roughly 500 MB/s on modern hardware, or about 15 million hashes per second for typical password-length inputs. An attacker with a single GPU (NVIDIA RTX 4090) can compute approximately 10 billion SHA-256 hashes per second using hashcat. With a cluster of 8 GPUs, that's 80 billion per second.

Let's do the math on an 8-character alphanumeric password (a-z, A-Z, 0-9 = 62 characters): 62^8 = 218,340,105,584,896 combinations ≈ 2.2 × 10^14 At 80 billion hashes/second: 2.2 × 10^14 / 8 × 10^10 = 2,750 seconds ≈ 46 minutes

An 8-character password, hashed with raw SHA-256, cracked in under an hour. And that's brute force — dictionary attacks with common passwords, substitutions (p@ssw0rd), and patterns (Summer2024!) are orders of magnitude faster.

The LinkedIn breach wasn't just about SHA-1 being weak. The stored hashes were unsalted. This means identical passwords produce identical hashes. An attacker builds one rainbow table and cracks all matching passwords simultaneously. '123456' appeared 753,305 times in the LinkedIn dump — one rainbow table lookup cracked all 753,305 accounts.

Salt solves the rainbow table problem but not the speed problem. Even with salt, SHA-256 is too fast. The solution: dedicated password hashing functions that are deliberately slow and memory-hard.

bcrypt: Configurable cost factor — each increment doubles computation time. Cost factor 12 = ~250ms per hash on modern hardware. That means an attacker gets ~4,000 guesses per second per core instead of 15 million. Target: 100-300ms per hash in your production environment.

Argon2id (recommended): Winner of the Password Hashing Competition (2015). Memory-hard — requires large RAM allocation per hash, making GPU/ASIC attacks expensive because GPUs have limited per-thread memory. Three variants: Argon2i (side-channel resistant), Argon2d (fastest, GPU-resistant), Argon2id (hybrid — recommended).

PBKDF2-SHA256: SHA-256 iterated 600,000+ times (OWASP 2023 recommendation, up from 100,000) with a unique salt. Not memory-hard, so GPU attacks are more effective than against Argon2. But it's FIPS 140-2 approved and widely supported. Django uses PBKDF2 by default.

Rule of thumb: If you're hashing passwords, the function name should contain 'bcrypt', 'argon2', or 'pbkdf2'. If it contains 'sha', 'md5', or 'blake' without a KDF wrapper, you're doing it wrong. I've audited four production systems that used raw SHA-256 for passwords — every one was crackable within hours on commodity hardware.

# io.thecodeforge.crypto.hash.PasswordHashing

import hashlib
import hmac
import os
import time


# ============================================================
# WRONG: Raw SHA-256 for passwords
# ============================================================
print("=" * 60)
print("WHY RAW SHA-256 IS DANGEROUS FOR PASSWORDS")
print("=" * 60)

# Benchmark SHA-256 speed
password = b'test_password_123'
start = time.perf_counter()
iterations = 1_000_000
for _ in range(iterations):
    hashlib.sha256(password).digest()
elapsed = time.perf_counter() - start
hashes_per_sec = iterations / elapsed

print(f"\n  SHA-256 speed: {hashes_per_sec:,.0f} hashes/second (single CPU core)")
print(f"  8-char alphanumeric brute force: {62**8 / hashes_per_sec / 3600:.1f} hours (single core)")
print(f"  With GPU (10B hashes/sec): {62**8 / 10e9 / 60:.1f} minutes")
print(f"  With 8-GPU cluster: {62**8 / 80e9 / 60:.1f} minutes")


# ============================================================
# RIGHT: PBKDF2-SHA256 (built into Python)
# ============================================================
print("\n" + "=" * 60)
print("PBKDF2-SHA256: THE RIGHT WAY (built into Python)")
print("=" * 60)

def hash_password_pbkdf2(password: str

SHA-256 in the Wild: Real-World Applications and Comparisons

SHA-256 is rarely used in isolation. It's a building block for larger protocols. Understanding these applications helps you know when SHA-256 is the right tool and where it's being phased out.

Bitcoin and Blockchain Bitcoin uses SHA-256 twice: SHA-256(SHA-256(block_header)). This double-hashing prevents length extension attacks on the proof-of-work (though the real reason was to avoid attack vectors in the original implementation). Miners iterate a 32-bit nonce until the resulting double-hash is below a target value. As of 2026, the Bitcoin network computes over 600 exahashes per second — that's 6×10^20 SHA-256 hashes every second. Mining ASICs are custom-built to compute double-SHA-256, nothing else.

TLS and HTTPS TLS 1.3 uses SHA-256 in its cipher suites: TLS_AES_128_GCM_SHA256 and TLS_AES_256_GCM_SHA384. The SHA-256 hash is used for the key derivation function (HKDF) and for message authentication (HMAC). The digital signature inside the certificate (RSA or ECDSA) signs the hash of the certificate data, not the data itself.

Git Object Addressing Git uses SHA-1 for object IDs (commits, trees, blobs, tags) but has been transitioning to SHA-256 since Git 2.31 (2021). The transition is messy — SHA-256 repos can't directly interoperate with SHA-1 repos. When you run git hash-object, Git formats the content as '{type} {size}\x00{data