Re: HMAC -NMAC security

From: Mark Wooding (
Date: 06/30/03

Date: 30 Jun 2003 10:52:13 GMT

whoami <> wrote:

> I don't understand why we need to hide the result of the inner
> function h(K2||x). I know that because of the extension attack one
> can easily find h(K2||x||y) no matter what y is but does this give
> some information on h(K1||h(K2||x||y)) which is the result of HMAC
> over x||y?

Quick overview of the thinking behind HMAC:

  * The inner layer is intended to be collision resistant. The key is
    present at this layer because finding collisions with an unknown
    initialization vector is harder than finding them if the IV is

  * The outer layer is intended to be a pseudorandom function[1], with
    fixed-length input and output. It's this layer which really
    provides the security of the construction.

  * As long as the output from the inner layer is different for
    different input messages, an adversary can't predict the tag for a
    message (because the outer layer is effectively random). If he
    finds a collision in the inner layer, he can request a tag for one
    of the colliding pair, and present the other other as his forgery.

  * Keeping the intermediate value $H(K_2 \cat x)$ secret makes it
    harder for an adversary to know whether he's found a collision.

[1] The proof that NMAC is a decent MAC only assumes that the outer
    layer works as a MAC on fixed-length inputs. However, it's the
    PRF-like property of the outer layer that means you can get away
    with things like truncating the tag.

-- [mdw]

Relevant Pages

  • Re: difference between Repeater,hub,bridge, switch,router, gateway
    ... Yes - a repeater repeats frames at the electrical level, layer 1. ... part of a collision domain. ... Designed to store and forward frame ... Switches, on the other hand, tend to have ASICs to do what they do and ...
  • Re: Very rapid polling
    ... that it one receiver sees a collision, all of them see the collision. ... Therefore collisions should never result in duplicate packets at the ... application layer. ...
  • Re: [PHP] Couple of beginner questions
    ... // somewhere in the business logic / functional layer ... The custom tag will expand the path to wherever the images directory was ... It's a pain in the ass overriding a CSS rule that was ... through all the other methods of doing it - however for a couple of years now I've limitted all presentation to css only, css contained in a stylesheet - I try to use minimal css classes, and stick to using an id wherever I can't simply redefine the html tag. ...
  • Re: position layers in tables
    ... "Murray" wrote: ... > The language attribute is not a valid attribute for the body tag. ... > nested layers) and the closer layer from their table cells, ...
  • Re: Mutli-Page Form Format
    ... There are some newsgroups (not Microsoft) where top ... except when I move from layer to layer ... Remove all margin information from the tag. ... Remove the empty paragraphs at the bottom of each layer - some ...