HMAC security - Is the security of the HMAC based on SHA-1 affected by the collisions attacks on SHA-1?

Question

Is the security of the HMAC based on SHA-1 affected by the collisions attacks on SHA-1?

Answer 1

The security implications of HMAC are described in detail in the security section of the RFC. In a nutshell, a very strong attack indeed is required before the security of the HMAC is threatened; the existing collision attacks on SHA-1 certainly don't constitute such. HMAC is specifically designed to make attacks difficult, and ordinary collision attacks won't generally suffice:

The security of the message authentication mechanism presented here depends on cryptographic properties of the hash function H: the resistance to collision finding (limited to the case where the initial value is secret and random, and where the output of the function is not explicitly available to the attacker), and the message authentication property of the compression function of H when applied to single blocks (in HMAC these blocks are partially unknown to an attacker as they contain the result of the inner H computation and, in particular, cannot be fully chosen by the attacker).

I recommend reading the whole section; it goes into more detail about exactly what attacks would suffice to break an HMAC, and just how much effort would be required.