Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why do I need HMACs when we do have public key signatures?

Tags:

cryptography

public-key-encryption

hmac

Preamble: I am quite new to HMACs, so please forgive me if the question is a little bit dumb.

As far as I understood, an HMAC is used to make sure that a message has not been tampered. So basically, it serves as a hash code. But, as the hash algorithm is known an attacker could easily calculate a new hash code for the tampered version of the message.

This is what HMACs try to solve: They provide a hash which is not only based upon the message that shall be hashed, but also on a cryptographic key. This way it is not possible to calculate a valid for the message without knowledge of the key.

Is this right so far?

My question now is: What do we need HMACs for if we can achieve the same goal using public key signing? IIRC signing works exactly the same way: Calculate a hash and sign it to make sure that nobody tampered either the message or the hash.

So what's the point of an HMAC?

like image 637
Golo Roden Avatar asked Jan 17 '13 05:01

Golo Roden

People also ask

What are HMACs used for?

Hash-based message authentication code (or HMAC) is a cryptographic authentication technique that uses a hash function and a secret key. With HMAC, you can achieve authentication and verify that data is correct and authentic with shared secrets, as opposed to approaches that use signatures and asymmetric cryptography.

Why is HMAC secure?

It is a result of work done on developing a MAC derived from cryptographic hash functions. HMAC is a great resistance towards cryptanalysis attacks as it uses the Hashing concept twice. HMAC consists of twin benefits of Hashing and MAC and thus is more secure than any other authentication code.

How are HMAC keys shared?

When two parties exchange messages through those secure file transfer protocols, those messages will be accompanied by HMACs instead of plain hashes. An HMAC employs both a hash function and a shared secret key. A shared secret key provides exchanging parties a way to establish the authenticity of the message.

Why HMAC is designed in that way?

The design of the HMAC specification was motivated by the existence of attacks on more trivial mechanisms for combining a key with a hash function. For example, one might assume the same security that HMAC provides could be achieved with MAC = H(key ∥ message).

1 Answers

An HMAC is smaller in size and takes much less CPU to compute and verify than any know public key operation for comparable security levels.

like image 80
David Schwartz Avatar answered Oct 01 '22 04:10

David Schwartz
Sign in to Comment

Related questions

Encrypt and Decrypt a string to fixed length
Reuse ICryptoTransform objects
NodeJS implementation for Python's pbkdf2_sha256.verify
HMAC-SHA1 in Rust
Web Crypto API without ssl
Howto display or view encrypted data in encrypted form?
Password Cracking in 2010 and Beyond
RSA Encryption - Encrypt with private key
A commutative cipher?
Cryptanalysis of ciphertext using Java
Application to Application authentication/access control without HTTPS
Brute-Force language detection
How does cross platform AES encryption work?
python aes encrypt/decrypt does not return the same results
Portable Class Library (PCL) Contrib - Cryptography
Correct way to use php openssl_encrypt
When is it safe to use a broken hash function?
C#: How to generate short MD5 code?
shorter php cipher than md5?
C# BouncyCastle - RSA Encryption with Public/Private keys

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!