[cryptography] HMAC over messages digest vs messages

Leandro Meiners lmeiners at gmail.com
Wed Nov 2 15:59:01 EDT 2011

I thought of that, but I could not convince myself because it seems to
depend on the particular application.

For example, lets assume the following scenario: m is a message that it
authenticated by the HMAC.

For example, in the HMAC(HASH(m)) scenario, you might find a collision,
however it might be gibberish and therefore useless. However, it might
be that m lacks structure so that HMAC(m) might be the valid signature
for two different messages m1 and m2 that both give the same m to be
signed. In this case, the HMAC(HASH(m)) could save you from such a

Nevertheless, I am not sure of how to factor this into the reasoning as
there are probably cases where an example can be found the other way around.

Am I making any sense?


On 11/02/2011 04:33 PM, Jack Lloyd wrote:
> On Wed, Nov 02, 2011 at 04:25:30PM -0300, Leandro Meiners wrote:
>> Hi List!
>> I was wondering if anybody could give me some pointers as to papers or
>> books that discuss the advantages/disadvantages of computing an HMAC of
>> a message versus previously computing a hash of the message and then
>> calculating the HMAC of the hash.
>> My initial thoughts are that there isn't any additional security
>> provided by either method.
> It seems like it would be harder (or at least not easier) to find a
> collision or preimage for HMAC with an unknown key than a collision or
> preimage for an unkeyed hash, so using HMAC(H(m)) allows for an avenue
> of attack that HMAC(m) would not, namely finding an inner collision
> (or preimage) on H.
> Consider, for instance attacking HMAC-MD5(m) vs HMAC-MD5(MD5(m)).
> -Jack
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography

Leandro Federico Meiners

More information about the cryptography mailing list