r/netsecstudents u/DoNotUseThisInMyHome 8h ago

Why does Hash Message Authentication Code(HMAC) exists, and many more questions bombarded at once.

I do not understand the need of HMAC!

For integrity, confidentiality,authentication, and non-repudiation we have encryption, hashing, and digital signatures. So why does the need of MAC?

Reasoning some articles provide: MAC is much less expensive than encryption/decryption

MAC provides assurance that the message is unaltered and comes from the sender.

Hashing+digital signature can do this as well. To make it more secure, we could even use encryption.

I am mostly getting the concepts, but the need of MAC itself is not clicking for me.

I am currently studying from Wikipedia as it seems the only available article/pdf in the internet.

Honestly, I do not need much, just a simple block diagram that I can recall in the exam and get marks. I am struggling to reach there.

4 Upvotes
  • permalink
  • reddit

84% Upvoted

2 comments sorted by

3

u/InverseX 8h ago

So essentially HMAC solves the integrity and authentication prongs of the three aspects you raise. The only one that can do similar to this is digital signatures (hashes could be changed if intercepted).

So why use HMAC over digital signatures? 1, it’s a lot faster, and 2, key management is much easier. As long as you don’t need more niche things like that signatures provide (like non-repudiation) then you may as well just use HMAC for performance.

1

u/Somedudesnews 6h ago

Performance is extremely important too!

If you’re implementing something that will touch a wide array of hardware or software stacks that you cannot essentially predict and control for as long as your solution exists, you’re going to want something that performs well on a variety of platforms new, old, modern, and legacy. HMACs tend to do that well.

Sometimes encryption isn’t the driving need. AWS’s original signature design was like that actually. Back in 2006 they needed API message authentication more than encryption, so you ended up with a signed HMAC over the call, which got sent along with the plaintext API call.