I thought of that, but I could not convince myself because it seems to depend on the particular application.
For example, lets assume the following scenario: m is a message that it authenticated by the HMAC. For example, in the HMAC(HASH(m)) scenario, you might find a collision, however it might be gibberish and therefore useless. However, it might be that m lacks structure so that HMAC(m) might be the valid signature for two different messages m1 and m2 that both give the same m to be signed. In this case, the HMAC(HASH(m)) could save you from such a situation. Nevertheless, I am not sure of how to factor this into the reasoning as there are probably cases where an example can be found the other way around. Am I making any sense? Thanks, Leandro.- On 11/02/2011 04:33 PM, Jack Lloyd wrote: > On Wed, Nov 02, 2011 at 04:25:30PM -0300, Leandro Meiners wrote: >> Hi List! >> >> I was wondering if anybody could give me some pointers as to papers or >> books that discuss the advantages/disadvantages of computing an HMAC of >> a message versus previously computing a hash of the message and then >> calculating the HMAC of the hash. >> My initial thoughts are that there isn't any additional security >> provided by either method. > > It seems like it would be harder (or at least not easier) to find a > collision or preimage for HMAC with an unknown key than a collision or > preimage for an unkeyed hash, so using HMAC(H(m)) allows for an avenue > of attack that HMAC(m) would not, namely finding an inner collision > (or preimage) on H. > > Consider, for instance attacking HMAC-MD5(m) vs HMAC-MD5(MD5(m)). > > -Jack > _______________________________________________ > cryptography mailing list > [email protected] > http://lists.randombit.net/mailman/listinfo/cryptography > -- Leandro Federico Meiners _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
