Could the output of the HMAC be the same if I used different keys and messages?
Example:
Out1 = HMAC(key1, msg1)
Out2 = HMAC(key2, msg2)
Could Out1=Out2 under any condition?
In short, you can't find such pairs better than negligible probability when the search is computationally bounded.
HMAC is a Pseudo-Random Function (PRF) under the assumption that the used hash function is PRF.
What you are looking for a collision for the HMAC. In theory, it is possible to find such pairs that they will collide.
If you use a n
bit output then the collision probability of two pairs is 1/2^n
for the fixed key. If HMAC is initiated with SHA256 then the collision of two random pairs will be 1/2^256
. By the birthday paradox, you will need around 2^128
pairs to find a collision with 50% under the same key.
A similar calculation can be performed with random keys, too.