What's the difference between Message Digest, Message Authentication Code, and HMAC?

security hmac message-digest
41,807

Solution 1

  • A message digest algorithm takes a single input -- a message -- and produces a "message digest" (aka hash) which allows you to verify the integrity of the message: Any change to the message will (ideally) result in a different hash being generated. An attacker that can replace the message and digest is fully capable of replacing the message and digest with a new valid pair.
  • A MAC algorithm takes two inputs -- a message and a secret key -- and produces a MAC which allows you to verify the integrity and the authenticity of the message: Any change to the message or the secret key will (ideally) result in a different MAC being generated. Nobody without access to the secret should be able to generate a MAC calculation that verifies; in other words a MAC can be used to check that the MAC was generated by a party that has access to the secret key.
  • A HMAC algorithm is simply a specific type of MAC algorithm that uses a hash algorithm internally (rather than, for example, an encryption algorithm) to generate the MAC.

Solution 2

  • A Message Digest is simply a hash of a message. It's the output of a cryptographic hash function applied to input data, which is referred to as a message.
  • A Message Authentication Code (MAC) is a piece of information that proves the integrity of a message and cannot be counterfeited easily.
  • A HMAC is a specific kind of MAC defined by RFC 2104.

Wikipedia has good articles covering all these terms: see Message Digest, Message Authentication Code, and HMAC.

Share:
41,807
zer0stimulus
Author by

zer0stimulus

Updated on July 08, 2022

Comments

  • zer0stimulus
    zer0stimulus almost 2 years

    My understanding of a message digest is that it's an encrypted hash of some data sent along with the encrypted data so you may verify that the data has not been tampered with. What is the difference then between this and message authentication codes (MAC) and hash MACs (HMAC)?

  • Maarten Bodewes
    Maarten Bodewes almost 12 years
    @Rook Very old remark here, but CMAC is just a specific form of MAC. Of course there is nothing against using AES-CMAC.
  • rook
    rook almost 12 years
    @owlstead Your right, i was confused because some libraries refer to it as a mode.
  • nsg
    nsg about 11 years
    For MAC, integrity and authenticity can both be proven because the sending party and receiving party share a common secret key.
  • leonbloy
    leonbloy almost 7 years
    "a MAC can be used to check that the MAC was generated..." Shouldn't that be "... to check that the message was generated..."?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to send password securely via HTTP using Javascript in absence of HTTPS?
Using HMAC-SHA1 for API authentication - how to store the client password securely?
How to manage OAuth flow in mobile application with server
Are compile-time variables secure in flutter?
Why is it bad practice to use an FCM Server Key on a Flutter/Android client?
How to protect Flutter app from reverse engineering
GDPR and personal data
Securely Saving API Keys In Android (flutter) Apps
How can I prevent backup for user data in flutter for iOS app?
Flutter/Dart security scans