Quiz Entry - updated: 2026.07.05
Why is the Secret-Prefix-MAC, h(k‖x), insecure, and how does the Secret-Suffix-MAC differ?
Secret-Prefix-MAC m = h(k‖x) is vulnerable to a length-extension attack on Merkle-Damgård hashes (MD5, SHA-1): an attacker can append data and compute a valid MAC without knowing the key. Secret-Suffix-MAC m = h(x‖k) blocks that attack but relies on collision resistance instead.
Secret-Prefix-MAC — the length-extension attack:
- Construction:
m = MAC_k(x) = h(k‖x), message in blocks x = (x₁,…,xₙ) - With a Merkle-Damgård hash (MD5, SHA-1, …), the digest is the internal state after hashing
- So an attacker who sees (x, m) can continue hashing from m: compute
m_O = h(m‖x_{n+1})for an appended block — andm_Ois a valid MAC for the extended message (x₁,…,xₙ, x_{n+1}), all without knowing k
Secret-Suffix-MAC — m = h(x‖k):
- The key is at the end, so the length-extension trick fails (the attacker can't append past the secret)
- But it has a different weakness: it relies on the hash being collision-resistant — if an attacker can find x, x_O with h(x) = h(x_O), then h(x‖k) = h(x_O‖k) and the MAC carries over
The conclusion: neither naive construction is good enough → this motivates HMAC, which is provably secure under reasonable assumptions and is used in TLS and IPsec.
Tip: Prefix = length-extension; Suffix = collision attack. HMAC nests both ways to avoid each flaw.
Go deeper:
Hash Length Extension Attack — Computerphile (Mike Pound) — a visual walk-through of why h(k‖x) leaks the hash state and lets an attacker append data and forge a valid MAC.
Length extension attack (Wikipedia) — exactly how an attacker continues a Merkle–Damgård hash from a digest to forge h(k‖x) without the key.
HMAC (Wikipedia) — the nested construction that defeats both the prefix and suffix flaws.