Length extension attack can be used if HMAC is implemented with key prepended (sha-1/2, but not SHA3).
What do we gain in HMAC security by using inner/outer key as opposed to simply APPEND the key to the end and then calculate hash?
Orig post why prepend is a problem. Key at start or end of HMAC
