hmac format?

Markus Friedl markus.friedl at
Mon May 22 04:07:41 EST 2000

On Sat, May 20, 2000 at 05:29:55PM -0400, Mike Benham wrote:
> 	I was looking at the the way that ssh calculates an hmac, and I
> noticed that the ordering is a little strange - it does hash(key+message).
> Shouldn't this rather be hash(message+key)?  In the former situation, it
> could be possible for an attacker to append something to the end of the
> data being sent.  The attacker would be able to calculate a valid hmac
> without knowing the key. For instance, since md5 does rounds on blocks of
> 512bits, where the output of the last round is the input for the first
> round of the next block; an attacker could just use the existing hmac as
> input for a new block to append.  If the hash were computed as 
> hash(message+key), the attacker would have to know the key to do that.
> 	How do people feel about this?  Am I missing something here?

HMAC (rfc2104) works this way: F(k1, F(k2, x)), so the key influences
both the 1st and the last invokation of the compression function.
it's more like hash(key+message+key). 


More information about the openssh-unix-dev mailing list