What’s what and when to use it?
Hash. Think of it as a checksum, but one that has been mathematically proven to have certain security properties (a cryptogrphic checksum). A hash or digest can be created using algorithms like md5. Typically, the digest is sent along with the message. Once received, the receiver recreates the digest using the same algorithm and compares the computed digest with the received one — A match indicates that the message has not been changed since the digest was first created by the sender.
A digest when included with the message and then encrypted (using symmetric cryptography) also provides authentication because the shared encryption key is held only by the two communicating parites. This however, does not provide non repudiation because the shared key indicates that the message could be sent by any one of the communicating parties, e.g. sender sends an encrypted message with an enclosed hash value and then denies sending it. Furthermore, he claims that the receiver actually sent the message. Unfortunately, in this situation, the receiver cannot prove that he was not the sender. Remember, looking at message sender or receiver is not enough because such attributes of a message can easily be spoofed.
MAC. A Message Authentication Code is a code (like a hash value) that provides authentication. It is usually constructed using symmetric encryption ciphers e.g. CBC-MAC. Now you may ask “why not include the hash in the encrypted message to get authentication?” (just like we talked about above). The answer is that, yes, it can be done but its not practical. Its quite possible that the message is decrypted once and then authenticated later by multiple parties. If the hash were inside, the entire encrypted message would have to be stored and decrypted each time before authenticating. By separating the encryption/decryption from integrity verification, we reduce computation and introduce flexibility when implementing security protocols. MACs are generally computed using the plain text message and then concatenated to the encrypted message before transmission.
HMAC. A Hash Message Authentication Code is a MAC constructed using hash functions rather than block ciphers. One of the main reasons for making hash based MACs was faster performance.
Block cipher based MACs (like CBC-MAC) existed even when hash functions (like md5) were being used. Later, Kaliski et al. showed how to construct a MAC using md5. However, the methods for constructing MACs using hash functions like md5 or SHA-1 were mostly ad-hoc and without sound security analysis. Then came HMAC by Bellare et al. who described a general construction for MACs based on hash functions and showed that it would be as secure as the hash function used in the construction.
Tags: security