Difference between OpenSSL::HMAC#hexdigest vs Digest::MD5#hexdigest in ruby?

Question

OpenSSL::HMAC#hexdigest (using MD5) vs Digest::MD5#hexdigest what are the differences and/or advantages? Couldn't you just use Digest::MD5#hexdigest(KEY + DATA) or is that consider cryptographically weak?

Answer 1

The HMAC-MD5 of DATA and KEY is define as

MD5( (K xor pad1) + H ((K xor pad2) + DATA )

where pad1 and pad2 are two fixed constants. Some of the more obvious things you might do are cryptographically weak.

Digest::MD5.hexdigest(KEY + DATA)

is fatally flawed. Consider how MD5 works. It splits the input up into blocks of a certain size (512 bits for md5) and sets up some initial state h0, h1, h2, h3. It then does a bunch of transformations to mix the first block of data with that initial state to produce new values of h0, h1, h2, h3. The second block of data is then combined with those to produce a new set of h0,h1,h2,h3 and so on. The final value of the hash function is just the concatenation of h0,h1,h2,h3.

This means that if you give me Digest::MD5#hexdigest(KEY + DATA) then I can calculate what Digest::MD5#hexdigest(KEY + DATA + OTHER_DATA) is without knowing KEY at all. You can do the same thing with SHA1

If instead you did

Digest::MD5.hexdigest(DATA+KEY)

then any known collisions in MD5 are easily used to make messages with the same HMAC value.

Apparently

Digest::MD5.hexdigest(KEY+DATA+KEY)

may be flawed too, even if two different keys were used. HMAC was designed to mitigate all of these attacks.