HMAC provides digital signatures using symmetric keys instead of PKI”. without complexities of public/private keys, root of trust and certificate chains, still have reliable digital signature with HMAC.
HMAC relies on symmetric key cryptography with pre-shared secrets instead of private/public pairs.
The downside is the same as with symmetric key cryptography in general – key distribution and protection of your secret keys.
SHA256(key||data) Merkle–Damgård construction, is vulnerable to a length extension attack:
given H(x), it’s very simple to find H(x||y), even if you only know the length of x, because of how the construction works.
Essentially, the construction works like this: You have a variable state that starts at some fixed value specified in the algorithm. You split the input to the hash function into blocks of size specified in the algorithm (padding the last block if it’s too short), and for each block, you use the current block and the current state to compute the new state using some special function specified in the algorithm. The value of state after processing the last block is the hash value. With any function using this construction, if you have the length of x, you can compute the padding p used. Then if you have H(x), you have the state after processing every block of x||p, which means you can proceed from there to compute H(x||p||y)).
That means that an attacker who knows the length of your MAC key and knows a particular value of SHA256(key||data) can easily compute SHA256(key||data||otherdata) for some given otherdata. They can choose most of the other data, but even if they couldn’t, it’s a fatal flaw in a MAC scheme if an attacker without the key can forge any MAC-data pair from other legitimate MAC-data pairs.
Incidentally, SHA256(data||key), while not vulnerable to length extension, is vulnerable to collisions in SHA256, which can also produce collisions in the proposed MAC, due to the same iterated construction. HMAC’s nesting prevents these and various other attacks. With non-Merkle-Damgård hashes, you don’t necessarily need the HMAC construction, though.