Why double hash

Single hash vulnerable to length-extension attacks (SHA-2 based). Double hash + key masking eliminate.

Advertisement

Constant-time comparison

Verify HMAC via constant-time comparison. Timing attacks on == leak byte-by-byte match.

Advertisement

HMAC-SHA256

Most common instantiation. Used in JWT (HS256), API signatures (AWS SigV4), OAuth.

KMAC for SHA-3

SHA-3's sponge design doesn't need HMAC wrapping. KMAC is native SHA-3 MAC.