$2\mathrm{.}1$ Scheme

The MAC prepends a secret symmetric key to an input message, then passes it to

the SHA$1$ algorithm:

tag $=$ Sha$1($password $\backslash |$ message$)$

You don$$t know the symmetric key, but you do know what length it might be $($See

the Objective section$)$

$2\mathrm{.}2$ Length Extension Attack

A length extension attack is a type of attack where an attacker can use the hash

of a message and the length of the message to calculate the hash of that message

prepended to another message, where the second message is chosen by the attacker.

This can be done without knowing the content of the first message.

This MAC is vulnerable to a length extension attack. Specifically, it$$s possible

to forge a valid $($message$,$ tag$)$ pair where the message has some arbitrary data

appended to the end, while only knowing the length of the password $($not its

actual value$).$

This is problematic in the MAC construction above because an attacker can include

extra information at the end of the message and produce a valid hash without knowing

the secret.