the HMAC construction is that it can be proven to be secure if certain assumptions

are made.

The basic idea behind all hash-based message authentication codes is that the key

is hashed together with the message. Two obvious constructions are possible. The

first one:

m = MAC k ( x )= h ( k

||

x )

is called secret prefix MAC , and the second one:

m = MAC k ( x )= h ( x

||

k )

is known as secret suffix MAC . The symbol “

” denotes concatenation. Intuitively,

due to the one-wayness and the good “scrambling properties” of modern hash func-

tions, both approaches should result in strong cryptographic checksums. However,

as is often the case in cryptography, assessing the security of a scheme can be trickier

than it seems at first glance. We now demonstrate weaknesses in both constructions.

||

Attacks Against Secret Prefix MACs

We consider MACs realized as m = h ( k

x ). For the attack we assume that the

cryptographic checksum m is computed using a hash construction as shown in Fig-

ure 11.5. This iterated approach is used in the majority of today's hash functions.

The message x that Bob wants to sign is a sequence of blocks x =( x 1 , x 2 ,..., x n ),

where the block length matches the input width of the hash function. Bob computes

an authentication tag as:

||

m = MAC K ( x )= h ( k

||

x 1 , x 2 ,..., x n )

The problem is that the MAC for the message x =( x 1 , x 2 ,..., x n , x n +1 ), where x n +1

is an arbitrary additional block, can be constructed from m without knowing the

secret key. The attack is shown in the protocol below.