HMAC vs simple MD5 Hash

user496949 picture user496949 · Feb 19, 2011 · Viewed 27.3k times · Source

Can anyone point out what the advantage of using HMАC is?

For example, if I have a text T and a key K, I can use either HMAC-MD5 algorithm or Md5(T + K) to get a signature.

Answer

Babu Srinivasan picture Babu Srinivasan · Apr 5, 2011

HMAC is not susceptible to length extension attacks.

md5(T + K) should be fine for most uses unless your adversary is motivated to tamper with your message and has very good computing power. As long as you control T, birthday attacks are not applicable and you only have brute-force attacks. But it is good to be aware of the limitations. If you want to go with this approach you may want use SHA1(T + K) instead of MD5.

md5(T+K) is certainly better than md5(K+T) where an attacker may append text to your message and generate another valid MAC.

With md5(T+K), the issue is that if an attacker can find a collision with T2 such that md5(T) = md5(T2), then md5(T+K) = md5(T2+K). But this requires a brute-force attack.

Note: I say "as long as you control T", because if changes can be made to T (in such a way that it is not obvious) one can try to generate 2 messages T1 and T2 where T1 can pass for T and md5(T1) = md5(T2). Now this is relatively lot easier to do (we are talking 2^64 instead of 2^128) and the reason is the so-called Birthday paradox or Birthday attack.

Note: The design of HMAC was motivated to avoid these kinds of extension attacks. There are no known attacks against HMAC.