1

What is the benefit of using HMAC over hash with key suffix? I realize that using key prefix is a bad idea because it allows message extension attacks. When adding key as a suffix such attack possibility is eliminated.

MAC = h(k||x) // key prefixing, bad idea
MAC = h(x||k) // key suffixing, much better idea

HMAC uses double hashing presumably to prevent extension attacks. Why is it better than just simple key suffixing?

HMAC scheme:

enter image description here

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
sanjihan
  • 205
  • 1
  • 7
  • 1
    May we assume that the key is a static size? Or may we assume that the possibility of data and key overlapping is a drawback (a|bc = ab|c) ? Note that HMAC says $k^+$, i.e. the key is also extended to a full block before it is hashed. – Maarten Bodewes Oct 07 '19 at 11:00
  • 1
    Does this older Q&A answer your question? Or this other one for the matter? – SEJPM Oct 07 '19 at 11:05
  • As far as I know, the key is of static size and is extended (if necessary) to match the input block of hash function – sanjihan Oct 07 '19 at 11:06
  • My goodness, I really need to work on choosing better search terms – sanjihan Oct 07 '19 at 11:07
  • Well, I searched as well and I couldn't find them either. And I was the colleague they always asked to perform the searches at work. It's not always that easy finding them. – Maarten Bodewes Oct 07 '19 at 11:08
  • 2
    I guess there are enough answers for you in the link, sanjihan. Some final notes: the padding and hashing of the keys in HMAC can be performed in advance, so the algorithm may not be that much less performant, even for smaller messages. And for SHA-3 there is a construction called KMAC (which basically prefixes the key, which is alright since SHA-3 is not vulnerable against length extension attacks). – Maarten Bodewes Oct 07 '19 at 11:19

0 Answers0