Re: why HMAC (Keyed-Hashing for Message Authentication)?

From: Panu Hämäläinen (panu.hamalainen_at_NOSPAM.tut.fi.invalid)
Date: 12/23/03 

Date: Tue, 23 Dec 2003 11:56:35 +0200

> What is the advantage of HMAC over simply passing
> hash(strcat(key,message)) along with the message?

If you use a standard iterative hash function (e.g. SHA), the construction
allows length extension attacks, i.e., using the hash value for
authenticating a longer message with the same key. If you put the key in the
end, attacking is little more complicated (key recovery attack) but still
possible. HMAC is designed so that it resists both. (see "Practical
Cryptography," Niels Ferguson, Bruce Schneier)

-- Panu

Relevant Pages

  • Re: HMAC issues
    ... SHA1d as defined by the book is h), in other words hash the ... attacks, so you hash the result as well. ... HMAC that i have read, a and b do not have values, so i gave them values. ... abuse as the attacker can flip several bits and then take a new MAC, ...
    (sci.crypt)
  • Re: Slow but secure has function for small data
    ... current attacks on the SHA-series (including MD5) are irrelevant to ... HMAC provided the key itself is unknown (page 4 paragraph beginning ... "Forgery and Partial Key-Recovery Attacks ... results demonstrate that the strength of a cryptographic scheme can be greatly weakened by the insecurity of the underlying hash function. ...
    (sci.crypt)
  • Re: MD5 and SHA-0 collisions
    ... Do these attacks break HMAC using MD5? ... Because of the way hash functions are used in ... hmac-md5 isn't affected. ...
    (sci.crypt)
  • Re: Bday Attack on HMAC with Seq Nums
    ... The key used for HMAC ... > See van Oorschot and Wiener work on internal collision attacks. ... A number of theoretical attacks appear to be based on the assumption ... the van Oorschot and Wiener paper appears to address ...
    (sci.crypt)