Hash, MAC, and Signatures – The Differences Explained
This is a very informative article describing the differences between a hash, MAC, and signature. Specifically, I was a little bit unclear about the meaning of a MAC. Basically, a MAC is calculated by first generating a hash value and then applying a symmetric/session key to encrypt the hash. This will insure that the hash value has not been modified. Because, even if there were a man-in-the-middle attack where the content and hash were modified, the MAC would prevent this from happening. I’m quoting this at length for future reference:
One of the problems with hashing is its wide open to man in the middle attacks. Without doubt hashing has its uses but in terms of sending data there is nothing stopping someone from intercepting the data, modifying it, and then resending the new message with a new hash. What the receiver gets is a message where the hash code matches the data, even though the data has been modified.
Message Authentication Codes are a way to prevent this. MACs use symmetric encryption methods to protect the sent hash. Symmetric encryption uses one private session key and both the sender and receiver require to have a copy of this key.
The process is as follows. Bob sends Alice some data. He generates a hash of the data and encrypts the hash using the symmetric key. Both the data and the encrypted hash are sent to Alice.
Alice, who also has the session key, generates her own hash from the data and encrypts it using the session key. She then checks her encrypted hash against the encrypted hash Bob sent. If they match the data is unchanged. Any man in the middle attacks no longer work as the middle man does not have the session key and therefore cannot generate a valid encrypted hash for the message.
Essentially a MAC is just an encrypted hash. It’s a combination of an encryption session key and a hashing algorithm.
Some example methods available in .NET include HMACMD5 a MAC algorithm based on MD5 hashing, and HMACSHA1 a MAC algorithm based on SHA1 hashing.
Example code for generating a random session key, this key is required to encrypt the hash code.