In this paper, we analyze the security of HMAC and NMAC, both of which are
message authentication codes. We present
distinguishing, forgery, and partial key recovery attacks
on HMAC and NMAC using collisions of MD4, MD5, SHA-0, and reduced SHA-1. Our results demonstrate that the strength of a cryptographic scheme can be greatly weakened by the insecurity of the underlying hash function.