LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

Why is the Secret-Prefix-MAC, h(k‖x), insecure, and how does the Secret-Suffix-MAC differ?

Secret-Prefix-MAC m = h(k‖x) is vulnerable to a length-extension attack on Merkle-Damgård hashes (MD5, SHA-1): an attacker can append data and compute a valid MAC without knowing the key. Secret-Suffix-MAC m = h(x‖k) blocks that attack but relies on collision resistance instead.

Secret-Prefix-MAC — the length-extension attack:

  • Construction: m = MAC_k(x) = h(k‖x), message in blocks x = (x₁,…,xₙ)
  • With a Merkle-Damgård hash (MD5, SHA-1, …), the digest is the internal state after hashing
  • So an attacker who sees (x, m) can continue hashing from m: compute m_O = h(m‖x_{n+1}) for an appended block — and m_O is a valid MAC for the extended message (x₁,…,xₙ, x_{n+1}), all without knowing k

Secret-Suffix-MAC — m = h(x‖k):

  • The key is at the end, so the length-extension trick fails (the attacker can't append past the secret)
  • But it has a different weakness: it relies on the hash being collision-resistant — if an attacker can find x, x_O with h(x) = h(x_O), then h(x‖k) = h(x_O‖k) and the MAC carries over

The conclusion: neither naive construction is good enough → this motivates HMAC, which is provably secure under reasonable assumptions and is used in TLS and IPsec.

Tip: Prefix = length-extension; Suffix = collision attack. HMAC nests both ways to avoid each flaw.

Go deeper:

From Quiz: MOBINFSEC / GSM & LTE Security Infrastructure | Updated: Jul 05, 2026