[cryptography] HMAC over messages digest vs messages

Jack Lloyd lloyd at randombit.net
Wed Nov 2 15:33:17 EDT 2011

On Wed, Nov 02, 2011 at 04:25:30PM -0300, Leandro Meiners wrote:
> Hi List!
> I was wondering if anybody could give me some pointers as to papers or
> books that discuss the advantages/disadvantages of computing an HMAC of
> a message versus previously computing a hash of the message and then
> calculating the HMAC of the hash.
> My initial thoughts are that there isn't any additional security
> provided by either method.

It seems like it would be harder (or at least not easier) to find a
collision or preimage for HMAC with an unknown key than a collision or
preimage for an unkeyed hash, so using HMAC(H(m)) allows for an avenue
of attack that HMAC(m) would not, namely finding an inner collision
(or preimage) on H.

Consider, for instance attacking HMAC-MD5(m) vs HMAC-MD5(MD5(m)).


More information about the cryptography mailing list