Why don't we use H(m||k) as a MAC?

Asked Mar 04 '14 at 17:24

Active Mar 04 '14 at 17:24

Viewed 136 times

HMAC seems a bit complicated. Why can't we use $H(m||k)$ as a MAC? Unlike $H(k||m)$, length extension attacks won't work.

Is there some other obvious attack?

asked Mar 04 '14 at 17:24

ithisa

1

See: http://crypto.stackexchange.com/questions/2669/attacks-of-the-mac-construction-mathcalhmk-for-common-hashes-mathcal?rq=1 – mikeazo Mar 04 '14 at 17:31

0 Answers0