On 11/02/2011 02:33 PM, Jack Lloyd wrote:
It seems like it would be harder (or at least not easier) to find a collision or preimage for HMAC with an unknown key than a collision or preimage for an unkeyed hash, so using HMAC(H(m)) allows for an avenue of attack that HMAC(m) would not, namely finding an inner collision (or preimage) on H.
That also goes for length extension attacks, something that HMAC is sometimes used specifically to prevent.
HMAC(k, m) is much better than HMAC(k, H(m)). - Marsh _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
