Great question—this is a classic point of confusion when moving beyond basic integrity checks to real-world cryptography. Let’s break this down clearly:

First off, hash functions (like SHA-256) and CRC are only designed for basic integrity checking—they don’t address two critical security needs: confidentiality (keeping data secret) and unforgeable authenticity (proving data came from a trusted source).

If you just send plaintext + a hash/CRC, you run into big problems:

• The plaintext is fully exposed—anyone intercepting the message can read it immediately, no secrecy involved.
• An attacker can freely modify the plaintext, then recalculate the corresponding hash/CRC and replace the original value. Since hash/CRC algorithms are public (no secret key required), there’s nothing stopping them from doing this. For example, an attacker could change a $100 transfer amount to $10,000, generate a new SHA-256 hash for the modified text, and the recipient would never know the difference without extra key-based validation.

Authenticated encryption (like GCM or EAX) solves both issues in one go: it encrypts the plaintext into unreadable ciphertext (for confidentiality) and generates a keyed Message Authentication Code (MAC). Only someone with the shared secret key can verify the MAC—this proves the message hasn’t been tampered with and came from a trusted sender.

You’re right that CRC/hash can catch accidental tampering, but they’re powerless against active attackers. Here’s why AEAD schemes like GCM/EAX are way more secure:

• Keyed authentication = true authenticity
  CRC and unkeyed SHA only verify that data wasn’t accidentally corrupted—they can’t prove the data came from a legitimate source. An attacker can tamper with the message, recalculate the CRC/hash, and the recipient will have no way to tell the difference. GCM/EAX’s MAC is tied to a secret key—without that key, attackers can’t generate a valid MAC for their tampered message, so the recipient will immediately detect the fraud.

• Confidentiality + authentication in one secure package
  GCM and EAX are part of the AEAD (Authenticated Encryption with Associated Data) standard, which integrates encryption and authentication in a mathematically proven secure way. If you try to combine encryption + hash/CRC on your own, you’re likely to make mistakes (e.g., should you encrypt first then authenticate, or vice versa? Get the order wrong, and you introduce a critical vulnerability). AEAD schemes handle this correctly out of the box.

• Resistance to cryptographic attacks
  CRC is linear, meaning attackers can easily calculate how to modify data to keep the CRC matching—no effort required. Even cryptographically secure hashes like SHA-256, when used without a key, are vulnerable to collision attacks (SHA-1 is already cracked) or chosen-plaintext attacks where an attacker crafts messages to exploit weaknesses. GCM/EAX are rigorously tested, standardized (GCM is NIST-approved), and designed to resist these advanced threats.

• Support for associated data
  In many cases, you need to authenticate metadata that shouldn’t be encrypted (like a message timestamp or device ID). AEAD schemes let you include this "associated data" in the MAC calculation, ensuring the metadata hasn’t been tampered with too. With plain hash/CRC, you’d have to manually append this data to the plaintext, which introduces risks of formatting errors or edge cases breaking the check.

• No DIY security pitfalls
  Rolling your own "plaintext + hash" system is full of hidden traps: Where do you put the hash? Should you add a salt? How do you handle large messages? Even small mistakes can render the entire integrity check useless. GCM/EAX are pre-built, battle-tested solutions—use them correctly with a secure key, and you get reliable security without the guesswork.

内容的提问来源于stack exchange，提问作者Karsten