hmac format?

Mike Benham moxie at
Sun May 21 07:29:55 EST 2000

	I was looking at the the way that ssh calculates an hmac, and I
noticed that the ordering is a little strange - it does hash(key+message).
Shouldn't this rather be hash(message+key)?  In the former situation, it
could be possible for an attacker to append something to the end of the
data being sent.  The attacker would be able to calculate a valid hmac
without knowing the key. For instance, since md5 does rounds on blocks of
512bits, where the output of the last round is the input for the first
round of the next block; an attacker could just use the existing hmac as
input for a new block to append.  If the hash were computed as 
hash(message+key), the attacker would have to know the key to do that.
	How do people feel about this?  Am I missing something here?

					- Mike 

"A totalitarian state thrives on propaganda, and there is no more effective
way to limit thought than to control the language itself.  By changing
definitions of words through continual association, any serious discussion
involving the concepts that the words represent becomes hopelessly muddled."
Moxie  - moxie at / moxie at

More information about the openssh-unix-dev mailing list