When a client and a server communicate over the internet, they are subject to MITM attacks. An attacker

can intercept the request from the client. The attacker may choose to modify the data and send the modified

request to the server. In such a scenario, the server needs to verify the integrity of the request received. The

standard way to verify the integrity of the request is to attach a tag called MAC to the request. There are

many ways to calculate MAC, and some of the methods are not secure$.$

MAC is calculated from a secret key and a message. A naive way to calculate MAC is to concatenate the

key with the message and calculate the one way hash of the resulting string. This method seems to be fine,

but it is subject to an attack called length extension attack, which allows attackers to modify the message

while still being able to generate a valid MAC based on the modified message, without knowing the secret

key.

Th