Re: [Cfrg] Question about the order of hashing

Thomas Pornin <> Thu, 05 January 2012 13:09 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DE1E921F8815 for <>; Thu, 5 Jan 2012 05:09:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.248
X-Spam-Status: No, score=-1.248 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_41=0.6, SARE_OBFU_ALL=0.751]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id f2iTB1G1knX6 for <>; Thu, 5 Jan 2012 05:09:02 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id D0F7C21F8679 for <>; Thu, 5 Jan 2012 05:09:01 -0800 (PST)
Received: from [] (unknown []) by (Postfix) with ESMTPSA id 600B968C090; Thu, 5 Jan 2012 14:08:32 +0100 (CET)
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: text/plain; charset=us-ascii
From: Thomas Pornin <>
In-Reply-To: <>
Date: Thu, 5 Jan 2012 08:08:31 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
To: Yoav Nir <>
X-Mailer: Apple Mail (2.1251.1)
Cc: "" <>
Subject: Re: [Cfrg] Question about the order of hashing
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 05 Jan 2012 13:09:03 -0000

On 2012-01-05, at 2:29 AM, Yoav Nir wrote:
> IOW, does changing HMAC(k, a||b) into HMAC(k, b||a) change the security properties.

As long as the concatenation can be unambiguously undone, the security properties are maintained.

The trouble with concatenation is that, when done carelessly, it can introduce ambiguities. For instance, if you take a protocol which concatenates the user name and his password directly, then user 'steven' with password 'cipher', and user 'steve' with password 'ncipher', end up with the same concatenation result: 'stevencipher'. That can be a problem for the security properties. In the case of users and passwords, a common solution is to add a separator character, which is forbidden in user names (hence 'steven:cipher' and 'steve:ncipher').

By swapping your 'a' and 'b', you might introduce ambiguities. For instance, suppose that 'a' is a self-terminated structure (i.e. it begins with a header which defines its length, so the end of 'a' and the start of 'b' can be reliably located within 'a||b' by looking at the first bytes), but 'b' is not. Then 'a||b' can always be split back into a single, well-defined (a,b) pair. On the other hand, 'b||a' might not be unambiguously split, so you could have distinct pairs 'b1||a1' and 'b2||a2' which both match the 'b||a' string (and yield the same MAC).

As long as you take care of that point, i.e. do not introduce the possibility of a 'stevencipher', then you can choose whichever conventional order you like, it will not impact the security of HMAC (of course, sender and receiver must both agree on the same, single, well-defined order).

	--Thomas Pornin