Whats the difference between MAC vs hash

A cryptographic hash function is a completely public, deterministic hash function which everybody can compute over arbitrary inputs. It takes as input a sequence of bits (any sequence of bits; some hash functions are formally limited to inputs of, say, less 2⁶⁴ bits, aka "2 millions of terabytes") and outputs values in a rather small space, typically a sequence of bits with a fixed size (e.g. always 160 bits with the standard hash function SHA-1). Good cryptographic hash functions respect some conditions which boil down to, informally, that they mix input data so thoroughly that we cannot figure it out afterwards.

A message authentication code is an algorithm which takes as input a message and a secret key and produces a fixed-sized output which can be later on verified to match the message; the verification also requires the same secret key. Contrary to hash functions where everything is known and attackers are fighting against mathematics, MAC make sense in models where there are entities with knowledge of a secret. What we expect from a good MAC is unforgeability: it should be infeasible to compute a pair message+MAC value which successfully verifies with a given key K without knowing K exactly and in its entirety.

Hash functions and MAC are thus distinct kind of algorithms with distinct properties and used in really distinct situations.

Some MAC algorithms (but certainly not all of them) can be thought of as "hash functions with a key" but this is a restrictive view. HMAC is a well-known MAC construction, which itself builds on an underlying hash function in a smart way. Indeed, security properties and models for hash functions and MAC are sufficiently distinct from each other that slapping a hash function and a key together does not necessarily yield a secure MAC, even if the hash function is secure (see the length extension attack which illustrates that point).

To some extent, we can state that a MAC algorithm which can operate securely without an IV must exhibit some hash-like properties (that's the reason I like HMAC: without an IV, it is much harder to get it wrong when implementing it). However, the Devil is in the details.

They are two totally different primitives. A MAC is used for message authentication, and is a symmetrically keyed primitive. A hash function can be used for many purposes, and has no special key input. MAC is an acronym of "message authentication code".

Don't be confused by the fact that some MAC algorithms (e.g., SHA1-HMAC) work by using a hash function as a subroutine. They're very different beasts.

• Some examples of MAC algorithms: CMAC, SHA1-HMAC, MD5-HMAC, UMAC, Poly1305-AES.
• Some examples of cryptographic hash functions: SHA256, SHA1, MD5.

To make it simple: usually a MAC is a Hash value encrypted with a secret key. For example, attackers can forge message and calculate a new hash, but he can't do so if the system requires hash to be encrypted with a secret key.