Message authentication code
A
cryptographic message authentication code (MAC) is a short piece of information used to
authenticate a message. A MAC algorithm accepts as input a
secret key and an arbitrary-length message to be authenticated, and outputs a MAC (sometimes known as a
tag). The MAC value protects both a message's
integrity as well as its
authenticity, by allowing verifiers (who also possess the secret key) to detect any changes to the message content.
While MAC functions are similar to
cryptographic hash functions, they possess different security requirements. To be considered secure, a MAC function must resist
existential forgery under
chosen-plaintext attacks. This implies that an attacker be unable to find any two messages
M and
M' which both produce the same MAC under some unknown secret key, even when the attacker has access to an "oracle" which possesses the secret key and generates MACs for messages of the attacker's choosing. Note that this differs from the property of
collision resistance required by a
cryptographic hash function: a MAC may be considered secure even if the key-holder can efficiently find collisions.
MACs differ from
digital signatures, as MAC values are both generated and verified using the same secret key. This implies that the sender and receiver of a message must agree on keys before initiating communications, as is the case with
symmetric encryption. For the same reason, MACs do not provide the property of
non-repudiation offered by signatures: any user who can verify a MAC is also capable of generating MACs for other messages.
MAC algorithms can be constructed from other cryptographic primitives, such as
cryptographic hash functions (as in the case of
HMAC) or from
block cipher algorithms (
OMAC,
CBC-MAC and
PMAC).
*
Data Authentication Code, a DES-based MAC algorithm from
ANSI*
UMAC*
HMAC*
Poly1305-AES*
RSA FAQ's entry on MACs
