Using symmetric key (AES -128) to sign and verify a message

Question

I want to know can symmetric keys be used to sign a message ? We can encrpyt using the shared secret key. Also when symmetric key is used for signing , what API can be used in J

Answer 1

If you want to sign a message using a symmentric key, you want to use a CMAC based on AES (or 3-key TDEA, or Cameilla). CMACs are Message Authentication Codes (MAC) constructed on top of block ciphers. You generally use a CMAC if you are also using AES/3TDEA/Cameilla for encryption (ie, it is handy).

You can also use an HMAC. An HMAC is a Message Authentication Code (MAC) constructed on top of a hash. You would use an HMAC is a hash were already present in the program (ie, it was handy).

When I have both a Block Cipher and Hash present in the program, I generally use an HMAC because its faster.

Finally (for completeness), don't use MD5. Its broken (despite what many in the free software world think). SHA-1 is no longer approved for new applications by bodies such NIST, NESSIE, and ECRYPT. Use the SHA-2 family of hashes, or use Whirlpool.

For the java specific stuff, see Java Cryptography Extensions.