MACs, Hashes, and Digital Signatures


I often get this question from students: “What’s the difference between MAC, Hashes, and Digital Signatures?” So I thought I’d write a short article about it. For more about these topics, get my CompTIA Security+ Cert Guide today!

First let’s give a short description of each:

• Cryptographic hash functions: This is a procedure that calculates a fixed-size bit string (hash value) from a piece of data. If the data is changed while it is in storage or in transit, the hash value will also be changed. This allows a person to verify whether the data has been tampered with. often, the data will be called the “message”, and the hash value will be called the “message digest” or “digest”.
An example would be to take basic text as data, such as the sentence “Study hard for the Security+ exam!” and calculate a hash from that data. The hash will be different every time it is calculated, but a typical example of the hash output would be:

1799 76B1 79A9 B121 BCF8

When a file is downloaded from a website, the file can be checked against the hash (for example an MD5 or SHA-1 hash) that is often listed next to the file download link. If the original hash and the downloaded file’s hash are the same, you can be fairly sure the data hasn’t been tampered with. If they are not the same, the downloaded file should be discarded as it has probably been compromised. Cryptographic hash functions can be used in conjunction with digital signatures and MACs as well.

• Digital Signatures: These are mathematical processes for proving the authenticity of a document or message. A proper digital signature implies that the message or document was created by the actual sender and not someone else. They are commonly used to prove that an electronic signature (a person’s actual signature performed on the computer) is authentic. They use asymmetric cryptography.

• MAC (Message authentication code): This is a small piece of information used to authenticate a message. The MAC algorithm takes a message and secret key and outputs a MAC value or “tag”. MACs only use secret keys, and rely on symmetric encryption. However, to function as intended the MAC must be able to resist plaintext attacks even if a hacker knows the secret key. Although the hacker can create their own MACs from the key, the MAC algorithm must be strong enough to make it impossible for the hacker to calculate the MAC for other messages. MACs can be built from hash functions; these are known as keyed hash functions.

Now, let’s cite some of the differences between the three:

• A MAC can be a cryptographic hash function (as in keyed hash functions), but a cryptographic hash function is not always a MAC.

• Digital signatures can be used in conjunction with cryptographic hash functions (as in SHA-1 and the Digital Signature Algorithm), but a cryptographic hash function is not always a digital signature.

• Digital signatures utilize asymmetric cryptography, whereas MACs use symmetric cryptography.

• Digital signatures provide for non-repudiation, whereas MACs do not, and cryptographic hash functions usually do not.

• MACs require additional security requirements than cryptographic hash functions, for example, the MAC must be resistant to plaintext attacks.

Hope this helps some of you!
I’m sure I’ll be adding to this article when I have more time.