HMAC vs simple MD5 Hash

Solution 1:

HMAC is not susceptible to length extension attacks.

md5(T + K) should be fine for most uses unless your adversary is motivated to tamper with your message and has very good computing power. As long as you control T, birthday attacks are not applicable and you only have brute-force attacks. But it is good to be aware of the limitations. If you want to go with this approach you may want use SHA1(T + K) instead of MD5.

md5(T+K) is certainly better than md5(K+T) where an attacker may append text to your message and generate another valid MAC.

With md5(T+K), the issue is that if an attacker can find a collision with T2 such that md5(T) = md5(T2), then md5(T+K) = md5(T2+K). But this requires a brute-force attack.

Note: I say "as long as you control T", because if changes can be made to T (in such a way that it is not obvious) one can try to generate 2 messages T1 and T2 where T1 can pass for T and md5(T1) = md5(T2). Now this is relatively lot easier to do (we are talking 2^64 instead of 2^128) and the reason is the so-called Birthday paradox or Birthday attack.

Note: The design of HMAC was motivated to avoid these kinds of extension attacks. There are no known attacks against HMAC.

Solution 2:

The Wikipedia article on HMAC gives a good explanation of this.

In the Security section of the same article it goes on to say:

HMACs are substantially less affected by collisions than their underlying hashing algorithms alone.

So adding an HMAC to an MD5 hash would make it substantially more difficult to break via a rainbow table.