Possible Duplicate:
Why is H(k||x) not a secure MAC construction?
I've the following problem: two parties, A and B, share a secret key Kab. M is a plaintext message, H an unkeyed hash function
A send to B M, H( Kab | M ) (where | means concatenation).
If we want to provide data origin authentication and data integrity (no confidentiality required) my exercise states that we have to change the protocol to this:
A send to B M, H( Kab | M | Kab ).
I don't understand the difference in term of guarantees of the two protocols and thereby, why the second one is 'right' and the first one is not?
