How to use an HMAC?

i am using a cryptographic library in php (http://phpseclib.sourceforge.net/).

i am adding a new pair of methods to its AES class.
those methods implement HMAC generation/verification.
encryption method adds the hmac string to the ciphertext.
decryption method separates the hmac and verifies it.

i have several questions.

1) is this general formula correct for the encryption method:


note: || means concatenation.

2) it is better the hmac be appended or prepended to the cipher text and why (or maybe there is no deference?).

3) i can use a variety of hash algorithms for hmac:
md2, md5, md5-96, sha1, sha1-96, sha256, sha384, and sha512

but i dont want to degrade the performance and increase the output length unnecessarily. if it is relevant, i use AES 128 bits; i am not sure if there must be a correlation between the encryption key length and the hmac algorithm used.

i know that the md5 and sha1 hash algorithms have known weaknesses and should no longer be used, but wikipedia article about HMAC says:

so can i use hmac-md5 safely?

Hi,
For question 2, I'm trying to think about it, but I don't see why the place of the MAC should matter. Indeed, you can let any eavedropper guess where is your MAC and where is your ciphertext inside final_result, if your MAC and ciphertext are safe. It can be a public information, so whether the MAC is behind the ciphertext or not doesn't seem to be an issue for me.
Also, I'd like to add to your question :
4) Is it safe to use the same key for the symetric cipher (aes_encr) and the HMAC (as you do) ? I know it's not when using CBC-MAC, but I wonder if it's also the case for HMAC.

Well i am not sure about this but you can take mac support for better information such as any Mac related issue.