0

I’ve seen that the question has been asked already but this is still confusing to me.

In a digital signature, Alice sends a message M and the hash(M) which is signed by her private key. Bob recomputes hash(M) (that he retrieves with Alice’s public key) and ensures that he finds the same hash value as Alice. Therefore he knows that the message M is coming from Alice and that M has not been tampered with during the transit. So, it looks like we get both authentication and integrity.

In the HMAC construction (or more generally MAC this is not the subject here), a shared key between Alice and Bob is appended to the hash of data. I agree that it provides also both message authentication and integrity but what does it provide more? In other words, in which situation is HMAC absolutely required?

otus
  • 32,132
  • 5
  • 70
  • 165
loukios
  • 101
  • 1

1 Answers1

1

In principle, a signature can always be used in lieu of a MAC. You use a MAC when you want the legitimate recipient of a message to be able to verify its authenticity. With a signature, everyone, including of course the legitimate recipient, can verify the authenticity of a message.

The reason we use MACs at all, instead of just using signatures all the time, is of course that MAC constructions are more efficient. Thus an answer to the question could be: when a signature is not efficient enough for your purposes.

fkraiem
  • 8,112
  • 2
  • 27
  • 38