[cryptography] HMAC over messages digest vs messages
marsh at extendedsubset.com
Wed Nov 2 15:40:46 EDT 2011
On 11/02/2011 02:33 PM, Jack Lloyd wrote:
> It seems like it would be harder (or at least not easier) to find a
> collision or preimage for HMAC with an unknown key than a collision or
> preimage for an unkeyed hash, so using HMAC(H(m)) allows for an avenue
> of attack that HMAC(m) would not, namely finding an inner collision
> (or preimage) on H.
That also goes for length extension attacks, something that HMAC is
sometimes used specifically to prevent.
HMAC(k, m) is much better than HMAC(k, H(m)).
More information about the cryptography