2

Here, message authentication is defined as

A MAC authenticates a message. If Alice sees a message and a MAC and knows the associated secret key, she can verify that the MAC was produced by a principal that knows the key by doing the MAC computation herself. Therefore, if a message comes with a correct MAC attached, it means this message was seen by a holder of the secret key at some point. A MAC is a signature based on a secret key, providing similar assurances to a signature scheme based on public-key cryptography such as RSA-based schemes where the signature must have been produced by a principal in possession of the private key.

So as I understand HMAC for example can be used to authenticate a message am I right? (just had discussion where someone claimed HMAC was only for integrity)

And also, provided I can achieve message authentication with HMAC, how to use it correctly to achieve message authentication? Key generation etc. session keys vs. long term keys. etc.

Or is there maybe better/simpler to implement/configure solution to provide message authentication using symmetric cryptography other then HMAC?

Isn't this kind of authentication something we search for when we want to implement something like say client sending some transaction to the server? (and server accepts it only from legitimate clients)

Community
  • 1
  • Given MAC stands for _Message Authentication Code_ (per the reference you provided) and HMAC term for a specific type of MAC, I think it's likely that you can use those codes to authenticate messages. It's either that or the person(s) that coined the term it are really bad at naming things and/or like confusing people. – JimmyJames Nov 10 '15 at 21:51

1 Answers1

1

HMACs are suitable for asserting both message integrity and authenticity, if properly implemented. However, in the context of a conversation, the "hashed" component might draw focus as being more integrity-focused, and thus be talked about in that way.

It's really difficult to answer your question of "how to use it correctly", because we don't know anything about your use case. Without knowing more, it's also difficult to determine whether there are better alternatives.

Jesse K
  • 1,068
  • 6
  • 13
  • what would you like to know more? basically client should send to server messages in authenticated way –  Nov 11 '15 at 06:31
  • Are you developing an application? What kind of application? Do you have any regulations or rules that are applicable? Can you use pre-existing libraries? Keep in mind that development should probably go to SO. – Jesse K Nov 11 '15 at 17:00
  • Yeah application. I don't think there are some regulations. I guess I could use libraries. I may need both for C++/C#. looking for ways to do authentication using symmetric crypto –  Nov 11 '15 at 22:36
  • You might want to consult stackoverflow for implementation details. This probably won't meet your case, but here's a sample link: http://stackoverflow.com/questions/3208160/how-to-generate-an-hmac-in-java-equivalent-to-a-python-example – Jesse K Nov 12 '15 at 16:35