1

According to the HMAC specification in RFC2104, an HMAC is computed in the following way:

HMAC(K, text) = H(K XOR opad, H(K XOR ipad, text))

where H is the underlying hash function, , is concatenation and K has the length of one block.

Now I wonder, what is the benefit of applying the hash function twice here, that is, why wouldn't it be defined like this:

HMAC'(K, text) = H(K XOR ipad, text)

Are there attacks, that are possible against HMAC', but not against HMAC?

Fabian Schmitthenner
  • 111
  • 2
  • 3
    Does this answer your question? [Why is $H(k\mathbin\Vert x)$ not a secure MAC construction?](https://crypto.stackexchange.com/questions/1070/why-is-hk-mathbin-vert-x-not-a-secure-mac-construction). Note that ipad doesn't provide any any hardness at all in your scheme. – kelalaka Dec 10 '21 at 09:47
  • 1
    I agree with the linked duplicate. While the question ask different things, the answer and reasoning is applicable in both cases. – DannyNiu Dec 10 '21 at 11:06
  • 1
    And another highly related one [Why does HMAC use two different keys?](https://crypto.stackexchange.com/q/15734/18298) – kelalaka Dec 10 '21 at 16:22

0 Answers0