H2-MAC　was　proposed　by　Yasuda　to　increase　effciency　over　hash-based　message　authen-tication　code　(HMAC)　by　omitting　its　outer　key,　and　keep　the　advantages　and　security　of　HMAC　at　the　same　time.　We　propose　an　effcient　method　to　break　H2-MAC,　by　using　a　generalized　birthday　attack　to　recover　the　equivalent　key,　under　the　assumption　that　the　underlying　hash　function　is　secure　(collision　resistance).　We　can　successfully　recover　the　equivalent　key　of　H2-MAC　instantiated　with　any　Merkle-Damgard　hash　function　in　about　2n/2　on-line　message　authentication　code　(MAC)　queries　and　2n/2　on-line　MAC　compu-tations　with　good　probability.　We　argue　that　the　pseudo　random　function-affx　(PRF-AX)　assumption　of　the　origin　security　proof　of　H2-MAC,　and　we　prove　that　the　security　of　H2-MAC　is　dependent　on　the　collision　resistance　of　the　underlying　hash　function,　instead　of　the　PRF　assumption.