This article is from the Secure Sockets Layer Discussion List FAQ, by Shannon Appel SAppel@consensus.com with numerous contributions by others.
The purpose of the construction of a "keyed-MAC" in the form of
HASH(K,pad2,HASH(K,pad1,text)). It was proposed by the cryptographer
Hugo Krawczyk of IBM as a much more secure alternative to traditional
MACs. In a paper last year he demonstrated a proof that even if the
hash function was relatively weak (as MD5 has since proven itself to
be) the addition of the secret key in the function makes it
significantly more secure. The particular method proposed by
Krawczyk is now known as an HMAC.
The particular construction that Netscape uses for SSL is based on
the original internet-draft, and since that time it has been revised
such that it XORs the pads rather than appending them -- a nice
consequence of which is that pads are of the same size whether you
use MD5 or SHA; it also allows for long keys and has some
security advantages. This version may now be found as RFC 2104:
In the proposals we've seen for the IETF-TLS Working Group the
scheme SSL 3.0 uses will be replaced by the official RFC HMAC
The particular pad bytes used are the ones defined in Krawczyk's
original HMAC paper. We believe that they are relatively arbitrary.
The salient property is that half the bits differ: the hamming
distance between 0x36 and 0x5c is 4 out of a possible 8. We don't
know if the fact that each of the pads also has a hamming weight of
4 is significant or not.