From my research on using HMAC, it protects against length extension attacks on Merkle-Damgård hash algorithms. Is an HMAC only useful in the circumstance that the message syntax allows for lengthening and the key precedes the message when hashing?
If a server only accepts one command at a time, either "A", "B", or "C" such that a command "AB" or "AC" would not make any sense, then is there any concern with using H(KEY||A) (where H is a Merkle-Damgård digest) seeing as any length extension of that message would be a syntax error?
Also, wouldn't H(MESSAGE||KEY) also protect against length extension seeing as the legitimate receiver would try to authenticate H(MESSAGE1||MESSAGE2||KEY) but an attacker would only be able to calculate H(MESSAGE1||KEY||MESSAGE2)?
I'm not a cryptographer. I understand there may be purely academic attacks possible (say reducing brute force from a billion years to a million years), but are there any practical attacks possible that would allow for forged messages or recovery of the key in these instances?
