We　propose　a　general　equivalent　inner　key　recovery　attack　to　the　NMAC　(Nested　Message　Authentication　Code)　instantiated　with　secure　hash　function　in　a　related　key　setting,　by　applying　a　generalized　birthday　attack　with　two　groups.　We　can　recover　the　equivalent　inner　key　of　NMAC　in　about　2　n/2+1　on-line　MAC　queries.　The　assumption　of　that　the　underlying　hash　function　must　be　collision　resistant　is　dropped　in　the　security　proof　of　NMAC.　However,　our　result　shows　that　NMAC,　even　instantiated　with　a　collision　resistant　Merkle-Damgard　hash　function,　is　not　secure　as　its　designer　claimed.　©　2013　Springer-Verlag　Berlin　Heidelberg.