What are the benefits of HMAC over symmetric cryptography?

Question

Somehow I don't get HMACs.

I once asked Why do I need HMACs when we do have public key signatures?, and I think I got this one. Easier to compute, and so on ...

But, what I do not get is why we need HMACs at all, respectively what kind of problem they are solving.

From my understanding, HMACs ...

• provide a way to make sure the message has not been tampered,
• are "secured" by a secret, but symmetric key.

Hence for calculating the HMAC (either initially or for verification) I do need to know the secret key.

Now, if I can exchange this key in a secret way without it being tampared, I could also exchange the message in the very same secret way without it being tampered, don't I?

Okay, now you could argue that you only need to exchange the key once, but you may have multiple messages. That's fine.

But if we now have a secret key that must be kept secret by all parties, we could also directly use symmetric encryption using the very same secret key to encrypt the message, couldn't we?

Of course, an HMAC shall provide a solution against tampering, but if I only have an encrypted message without the secret key and a reasonable encryption algorithm, I can not change that encrypted message in a way that a) decryption still works, and b) a meaningful decrypted message appears.

So what do I need an HMAC actually for? Or - where is the point that I am missing?

Answer 1

You're assuming that it is impossible to tamper with an encrypted message without knowing the key used for encryption. This is not the case and a dangerous assumption to make. There are several things possible even if you only have access to the ciphertext:

• Corruption of a suffix of the message: this can leak information about the content through error messages, timing and possibly other ways.
• Corruption of ranges of the message for some modes (ECB, CFB and possibly others): same as above but the attacker has more ways to trigger the wanted behaviour.
• Flipping of arbitrary bits in a single block (not knowing their initial value though) and corruption of the following block (CFB): If some bits are known to the attacker he can set them to the value he wants.
• Flipping of arbitrary bits in the whole message for stream ciphers or stream cipher equivalent modes for block ciphers: This can avoid corruption altogether.

Thus it is very important to verify that no attacker tampered with the message before processing even a single byte of the decrypted content. Since there are again some pitfalls in doing this using ad-hoc verification or simple hashing there is a need for MACs of which HMAC is one example.