This paper presents the first equivalent key recovery attack on H 2-MAC-MD5, which conduces to a selective forgery attack directly. H 2-MAC is similar with HMAC except that the outer key is omitted. For HMAC-MD5, since the available differential paths are pseudo-collisions, all the key recovery attacks are in the related-key setting, while our attack on H 2-MAC-MD5 gets rid of this restriction. Based on the distinguisher of HMAC-MD5 proposed by Wang et al., a pair of intermediate chaining variables, i.e., the equivalent keys $(\tilde{K},\tilde{K}')$ , is detected which fulfils the specific conditions on (IV,IV′) of the pseudo-collision. Then the inner key recovery attack on HMAC-MD5 explored by Contini and Yin is adopted to recover $(\tilde{K},\tilde{K}')$ . Consequently, the adversary can compute the valid MAC value of M 0 ∥ M * effortlessly, where M 0 is a fixed one-block message, and M * can be any bit string.