You$$re given a message and a valid secret$-$prefix MAC tag for it; you don$$t know the secret prefix. The goal is to forge a tag for a message that contains the byte sequence CA FE F$00$D $($hex$).$

On the exercise page, you$$ll see three boxes.

The Secret$-$Prefix MAC box shows a message and a tag for it$,$ using a random key with the secret$-$prefix MAC.

This box illustrates the SHA$-256$ padding. It shows the SHA$-256$ block that actually goes into the compression function $($with the secret hidden$).$ Note that the message bytes are followed by $0$x$80,$ then a bunch of zeroes, then the length of the message in bits.

The Extendable SHA$-256$ box lets you compute SHA$-256$ with a custom initial H and bit count. When you load the page, the $$Initial H$$ field contains SHA$-256$s actual nothing$-$up$-$my$-$sleeve constants, so if you leave that field unchanged and the initial bit count at zero, this box will compute the plain SHA$-256$ hash of the $$Hash input$$ field.

The Solution box is where you$$ll construct the message that you$$re forging a tag for, and enter the forged tag.

This box lets you enter a message, then computes the secret$-$prefix MAC tag of it$,$ but it doesn$$t show you the tag. It compares this tag $($the $$true tag$)$ to the forged tag that you enter.

Like the first box, this one shows the SHA$-256$ blocks that go into the compression function $($with the secret hidden$).$

Here is what you$$ll need to do for the attack:

Copy the tag from the Secret$-$Prefix MAC box, and paste it into the $$Initial H$$ field. This is the hash you$$re extending.

Set the $$Hash Input$$ field in the Extendable SHA$-256$ box, so that it contains the byte sequence CA FE F$00$D$.$ The rest of the bytes can be whatever you want.

These eight bytes are E from the explanation above.

You$$ll now construct the message whose tag you$$re forging, in the $$Message$$ field of the Tag Verifier box. Recall from earlier that the message is the original MAC input, followed by the original hash$$s padding, followed by E $($your extension$).$

Try changing the contents of the Message field and watch the effect it has on the SHA$-256$ blocks shown below.

Then, edit the $$Message$$ field so that:

The first SHA$-256$ block shown below the $$Message$$ field is exactly the same as the SHA$-256$ block from the Secret$-$Prefix MAC box.

The second SHA$-256$ block shown below the $$Message$$ field is exactly the same as the SHA$-256$ block from the Extendable SHA$-256$ box, except for the two bytes at the very end.

Back in the Extendable SHA$-256$ box, try changing the value of the initial bit count, and watch the effect it has on the SHA$-256$ block shown below. You$$ll see the bytes at the end changing.

Set the initial bit count so that the SHA$-256$ block shown below $($in the Extendable SHA$-256$ box$)$ is exactly the same as the second block in the Tag Verifier box.

Once you get the right value, make sure you understand: why is that the correct value of the initial bit count?

At this point, the hash in the Extendable SHA$-256$ box is the forged tag.

Copy the hash from the Extendable SHA$-256$ box and paste it into the $$Forged tag$$ field of the Tag Verifier box. The Tag Verifier box will turn green if you did everything right.