Quiz Entry - updated: 2026.07.14
What were the early approaches to building a MAC from a keyless hash function, and why did they all fail?
Three naive approaches — secret-prefix, secret-suffix, and envelope MAC — were all found to have vulnerabilities, leading to the development of HMAC.
* Prefix, suffix and envelope constructions each have weaknesses — the fix that resulted is HMAC. *
Approach 1: Secret-Prefix MAC $m = MAC_k(x) = h(k \| x)$
- Prepend the key before the message, then hash everything
- Vulnerable to length extension attacks (due to Merkle-Damgård construction)
Approach 2: Secret-Suffix MAC $m = MAC_k(x) = h(x \| k)$
- Append the key after the message, then hash
- Also has known weaknesses
Approach 3: Envelope MAC (two keys) $m = MAC_{k_1,k_2}(x) = h(k_1 \| x \| k_2)$
- Wrap the message between two keys
- Still has weaknesses
Consequence: All three are insecure. The solution was HMAC (RFC 2104), which uses a more sophisticated double-hashing construction with inner and outer padding.
Go deeper:
Length extension attack (Wikipedia) — the concrete flaw that sinks the secret-prefix MAC on Merkle–Damgård hashes.
HMAC (Wikipedia) — the nested construction designed to sidestep all three naive failures.