Why does HMAC use the hash twice?

Asked Dec 09 '21 at 23:00

Active Dec 10 '21 at 11:39

Viewed 608 times

According to the HMAC specification in RFC2104, an HMAC is computed in the following way:

HMAC(K, text) = H(K XOR opad, H(K XOR ipad, text))

where H is the underlying hash function, , is concatenation and K has the length of one block.

Now I wonder, what is the benefit of applying the hash function twice here, that is, why wouldn't it be defined like this:

HMAC'(K, text) = H(K XOR ipad, text)

Are there attacks, that are possible against HMAC', but not against HMAC?

asked Dec 09 '21 at 23:00

3

Does this answer your question? Why is $H(k\mathbin\Vert x)$ not a secure MAC construction?. Note that ipad doesn't provide any any hardness at all in your scheme. – kelalaka Dec 10 '21 at 09:47
1

I agree with the linked duplicate. While the question ask different things, the answer and reasoning is applicable in both cases. – DannyNiu Dec 10 '21 at 11:06
1

And another highly related one Why does HMAC use two different keys? – kelalaka Dec 10 '21 at 16:22

0 Answers0