Digital Signature VS MAC vs HMAC - kdwivedi1985/system-design GitHub Wiki

Message Authentication Code- A short, fixed-size tag generated using a secret key and a message to ensure data integrity and authentication. it uses a secret key to generate a fixed-size output (the MAC) from a variable-length message. This MAC is then appended to the message and transmitted. The receiver can then use the same secret key and algorithm to generate a MAC from the received message. If the generated MAC matches the received MAC, the message is verified as authentic and unaltered. Integrity and authentication only.(e.g., CBC-MAC, CMAC). Use Case- Smart cards, embedded systems, low-level protocols [ MACs can be faster and simpler than hash-based options.]
Hash-based Message Authentication Code- cryptographic hash function (like SHA-256) along with a secret key to produce the tag. It's more standardized and widely used. Integrity and authentication only, Symmetric cryptography (Shared secret key), (HMAC-SHA256, HMAC-SHA1, etc.). Use Cases- API authentication (e.g., AWS), TLS, JWT, webhooks these includes SHA256.
Digital Signature- Integrity, authentication, non-repudiation, Asymmetric cryptography (Public/Private key pair), (RSA, ECDSA, EdDSA) UseCase- TLS cert, Secure email, legal docs (docusign)

Feature / Property	MAC	HMAC	Digital Signature
Crypto Type	Symmetric	Symmetric (with hash)	Asymmetric
Key Type	Shared secret	Shared secret	Private/Public key pair
Integrity	✅	✅	✅
Authentication	✅	✅	✅
Non-repudiation	❌ (anyone with key can forge)	❌	✅ (only private key holder can sign)
Hash Function	Optional or not standard	Required (e.g., SHA-256)	Used before signing
Efficiency	Very fast	Fast	Slower (depends on key size, algorithm)
Tamper Detection	✅	✅	✅
Public Verification	❌	❌	✅
Example Algorithms	CBC-MAC, CMAC	HMAC-SHA256, HMAC-SHA1	RSA, ECDSA, EdDSA
Used in	Internal systems, devices	API keys (e.g., AWS, Stripe)	TLS certs, PGP, blockchain, secure email