[cryptography] HMAC over messages digest vs messages

Marsh Ray marsh at extendedsubset.com
Wed Nov 2 15:40:46 EDT 2011


On 11/02/2011 02:33 PM, Jack Lloyd wrote:
>
> It seems like it would be harder (or at least not easier) to find a
> collision or preimage for HMAC with an unknown key than a collision or
> preimage for an unkeyed hash, so using HMAC(H(m)) allows for an avenue
> of attack that HMAC(m) would not, namely finding an inner collision
> (or preimage) on H.

That also goes for length extension attacks, something that HMAC is 
sometimes used specifically to prevent.

HMAC(k, m) is much better than HMAC(k, H(m)).

- Marsh



More information about the cryptography mailing list