Linked Questions

I want to guarantee the integrity of a message $m$. My first thought is to append the message to an integrity key $k$ and hash it as $H(k\,||\,m)$. However, I have been told that this is not totally ...

According to the HMAC specification in RFC2104, an HMAC is computed in the following way: HMAC(K, text) = H(K XOR opad, H(K XOR ipad, text)) where ...

Is there any practical difference from using HMAC-SHA1(key, msg) vs SHA1(key + msg) as a way to verify the authenticity/...

Possible Duplicate: Why is H(k||x) not a secure MAC construction? I've the following problem: two parties, A and B, share a secret key Kab. M is a plaintext message, H an unkeyed hash function A ...

What is "preimage resistance", and how can the lack thereof be exploited? How is this different from collision resistance, and are there any known preimage attacks that would be considered feasible?

I've read definitions of MAC and HMAC, but can't say I've completely grasped the differences. What are principle differences? When to use one and when the other?(Typical Use Cases)

If $H$ is a typical secure hash function, then $(k,x) \mapsto H(k \mathbin\| x)$ is not a secure MAC construction, because given a known plaintext $x_1$ and its MAC $m_1$, an attacker can extend $k \...

Here is the post that explains the failure for doing h(k||m) and I understand it. But I don't understand how h(m||k) is subjected to collison attack, or birthday attack. Please explain?

I understand how for hash functions which are vulnerable to length extension attacks (such as SHA1 and SHA2) it is safer to use a HMAC construction. What I don't understand is, how or why is $\...

$\require{begingroup}\begingroup \DeclareMathOperator{\keccak}{\mathrm{Keccak}} \DeclareMathOperator{\concat}{\|} $According to Keccak's website, $\keccak(k \concat x)$ is safe: Unlike SHA-1 and SHA-...

Assume both Alice and Bob have a symmetrical key, let's call it $k$. They agree on a cryptographic hash function, let's call it $\mathsf{HASH}$. Now Alice wants to send an authenticated message. She ...

I need your advice on following scheme of exchange protocol between remote lock and key. I'm planning to use following algorithm: Key generates unique value that never repeats (in reality it's just ...

I have a short message that’s exactly 128 bits of length. The message serves as a time-limited authorization token for a database. It contains a permission profile ID (64 bits) and an issue timestamp (...

I'll define an example hash-based stream cipher as such: $H: \{0,1\}^* \rightarrow \{0,1\}^{256}$ is the hash function. $K=\{0,1\}^{256}$ is the secret key. $N=\{0,1\}^{128}$ is the nonce. $C=\{0,1\}^{...

Assume you are already given a properly-salted, password hash $X$ from some slow PBKDF (e.g., like Argon2id). Now, you want to apply some large (~256-bit) secret "pepper" $S$ to it before storing it ...