What is the difference between a hash and a MAC?

A hash is keyless and only proves integrity against accidental change. A MAC takes a secret key, so it proves both integrity and authenticity — only someone with the key could have produced a valid tag. Never use a bare hash for authentication.

Why use HMAC instead of just hashing the key plus message?

Naive key-prepend constructions are vulnerable to length-extension attacks on Merkle-Damgard hashes like SHA-256. HMAC's nested inner and outer hashing structure defeats these attacks and is provably secure.

What MAC does AES-GCM use?

AES-GCM authenticates with GMAC, a polynomial MAC computed in the GF(2^128) Galois field over the ciphertext and associated data. The resulting 128-bit tag is appended to the ciphertext.

Is Poly1305 a standalone MAC?

It can be, but it is almost always used as the authenticator in ChaCha20-Poly1305 AEAD. Poly1305 requires a fresh one-time key per message, which the AEAD construction derives from the cipher keystream.

Should I worry about timing attacks comparing MAC tags?

Yes. Always compare authentication tags with a constant-time equality function. A normal byte-by-byte comparison can leak how many leading bytes matched, enabling a forgery attack over many tries.

MAC Algorithm Reference

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

MAC (message authentication code) reference

A MAC binds a message to a secret key, producing a short tag that proves the message is both intact and from someone holding the key. MACs protect API tokens, cookies, JWTs and the integrity half of authenticated encryption. This reference compares HMAC, GMAC, Poly1305, CMAC and KMAC by construction type, key size, tag length and the AEAD scheme each is paired with.

How it works

MACs come in three families:

Hash-based (HMAC) — wraps a hash like SHA-256 in a keyed nested construction. Secure even on length-extendable hashes.
Cipher-based (CMAC, GMAC) — built from a block cipher such as AES. GMAC is the authentication part of GCM.
Polynomial (Poly1305) — evaluates a polynomial over a prime field; very fast and used in ChaCha20-Poly1305.

To stay secure you must verify the tag with a constant-time comparison, and for one-time MACs (Poly1305, GMAC) you must never reuse the nonce/one-time key, or an attacker can forge tags.

Tips and notes

For standalone authentication, HMAC-SHA-256 is the safe default.
For authenticated encryption, use AES-GCM (GMAC) or ChaCha20-Poly1305.
Truncating a 256-bit HMAC tag to 128 bits is acceptable; shorter tags weaken forgery resistance.
Always compare tags in constant time and never reuse nonces with one-time MACs.