LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What were the early approaches to building a MAC from a keyless hash function, and why did they all fail?

Three naive approaches — secret-prefix, secret-suffix, and envelope MAC — were all found to have vulnerabilities, leading to the development of HMAC.

Three broken key+hash MAC attempts, all superseded by HMAC

* Prefix, suffix and envelope constructions each have weaknesses — the fix that resulted is HMAC. *

Approach 1: Secret-Prefix MAC $m = MAC_k(x) = h(k \| x)$

  • Prepend the key before the message, then hash everything
  • Vulnerable to length extension attacks (due to Merkle-Damgård construction)

Approach 2: Secret-Suffix MAC $m = MAC_k(x) = h(x \| k)$

  • Append the key after the message, then hash
  • Also has known weaknesses

Approach 3: Envelope MAC (two keys) $m = MAC_{k_1,k_2}(x) = h(k_1 \| x \| k_2)$

  • Wrap the message between two keys
  • Still has weaknesses

Consequence: All three are insecure. The solution was HMAC (RFC 2104), which uses a more sophisticated double-hashing construction with inner and outer padding.

Go deeper:

From Quiz: KRYPTOG / One-Way and Hash Functions | Updated: Jul 14, 2026