World Library  
Flag as Inappropriate
Email this Article

Message authentication code

Article Id: WHEBN0000567523
Reproduction Date:

Title: Message authentication code  
Author: World Heritage Encyclopedia
Language: English
Subject: PMAC (cryptography), Hash-based message authentication code, Poly1305, UMAC, VMAC
Collection: Error Detection and Correction, Message Authentication Codes
Publisher: World Heritage Encyclopedia

Message authentication code

In cryptography, a message authentication code (MAC) is a short piece of information used to authenticate a message—in other words, to provide integrity and authenticity assurances on the message. Integrity assurances detect accidental and intentional message changes, while authenticity assurances affirm the message's origin.

A MAC algorithm, sometimes called a keyed (cryptographic) hash function (however, cryptographic hash function is only one of the possible ways to generate MACs), accepts as input a secret key and an arbitrary-length message to be authenticated, and outputs a MAC (sometimes known as a tag). The MAC value protects both a message's data integrity as well as its authenticity, by allowing verifiers (who also possess the secret key) to detect any changes to the message content.


  • Security 1
  • Message integrity codes 2
  • Implementation 3
  • Standards 4
  • An Example of Message Authentication Code Algorithm 5
    • One-time MAC 5.1
  • See also 6
  • References 7
  • External links 8


While MAC functions are similar to chosen-plaintext attacks. This means that even if an attacker has access to an oracle which possesses the secret key and generates MACs for messages of the attacker's choosing, the attacker cannot guess the MAC for other messages (which were not used to query the oracle) without performing infeasible amounts of computation.

MACs differ from digital signatures as MAC values are both generated and verified using the same secret key. This implies that the sender and receiver of a message must agree on the same key before initiating communications, as is the case with symmetric encryption. For the same reason, MACs do not provide the property of non-repudiation offered by signatures specifically in the case of a network-wide shared secret key: any user who can verify a MAC is also capable of generating MACs for other messages. In contrast, a digital signature is generated using the private key of a key pair, which is public-key cryptography. Since this private key is only accessible to its holder, a digital signature proves that a document was signed by none other than that holder. Thus, digital signatures do offer non-repudiation. However, non-repudiation can be provided by systems that securely bind key usage information to the MAC key; the same key is in possession of two people, but one has a copy of the key that can be used for MAC generation while the other has a copy of the key in a hardware security module that only permits MAC verification. This is commonly done in the finance industry.

Message integrity codes

The term message integrity code (MIC) is frequently substituted for the term MAC, especially in communications,[1] where the acronym MAC traditionally stands for Media Access Control address. However, some authors[2] use MIC to refer to a message digest, which is different from a MAC -- a message digest does not use secret keys. This lack of security means that any message digest intended for use gauging message integrity should be encrypted or otherwise be protected against tampering. Message digest algorithms are created such that a given message will always produce the same message digest assuming the same algorithm is used to generate both. Conversely, MAC algorithms are designed to produce matching MACs only if the same message, secret key and initialization vector are input to the same algorithm. Message digests do not use secret keys and, when taken on their own, are therefore a much less reliable gauge of message integrity than MACs. Because MACs use secret keys, they do not necessarily need to be encrypted to provide the same level of assurance.

RFC 4949 recommends avoiding the term "message integrity code" (MIC), and instead using "checksum", "error detection code", "hash", "keyed hash", "Message Authentication Code", or "protected checksum".


MAC algorithms can be constructed from other cryptographic primitives, such as cryptographic hash functions (as in the case of HMAC) or from block cipher algorithms (OMAC, CBC-MAC and PMAC). However many of the fastest MAC algorithms such as UMAC and VMAC are constructed based on universal hashing.[3]

Additionally, the MAC algorithm can deliberately combine two or more cryptographic primitives, so as to maintain protection even if one of them is later found to be vulnerable. For instance, in Transport Layer Security (TLS), the input data is split in halves that are each processed with a different hashing primitive (MD5 and SHA-1) then XORed together to output the MAC.


Various standards exist that define MAC algorithms. These include:

  • FIPS PUB 113 Computer Data Authentication,[4] withdrawn in 2002,[5] defines an algorithm based on DES.
  • FIPS PUB 198-1 The Keyed-Hash Message Authentication Code (HMAC)[6]
  • ISO/IEC 9797-1 Mechanisms using a block cipher[7]
  • ISO/IEC 9797-2 Mechanisms using a dedicated hash-function[8]

ISO/IEC 9797-1 and -2 define generic models and algorithms that can be used with any block cipher or hash function, and a variety of different parameters. These models and parameters allow more specific algorithms to be defined by nominating the parameters. For example, the FIPS PUB 113 algorithm is functionally equivalent to ISO/IEC 9797-1 MAC algorithm 1 with padding method 1 and a block cipher algorithm of DES.

An Example of Message Authentication Code Algorithm

In this example, the sender of a message runs it through a MAC algorithm to produce a MAC data tag. The message and the MAC tag are then sent to the receiver. The receiver in turn runs the message portion of the transmission through the same MAC algorithm using the same key, producing a second MAC data tag. The receiver then compares the first MAC tag received in the transmission to the second generated MAC tag. If they are identical, the receiver can safely assume that the integrity of the message was not compromised, and the message was not altered or tampered with during transmission.

However, to allow the receiver to be able to detect replay attacks, the message itself must contain data that assures that this same message can only be sent once (e.g. time stamp, sequence number or use of a one-time MAC). Otherwise an attacker could — without even understanding its content — record this message and play it back at a later time, producing the same result as the original sender.

One-time MAC

Universal hashing and in particular pairwise independent hash functions provide a message authentication code as long as the key is used at most once (or less than k-times for k-wise independent hash functions. This can be seen as of the one-time pad for authentication.[9]

The simplest such pairwise independent hash function is defined by the random key key=(a,b) and the mac tag for a message m is computed as tag:=(a*m + b)\mod p, where p is a prime.

See also


  1. ^
  2. ^ Fred B Schneider, Hashes and Message Digests, Cornell University
  3. ^
  4. ^ Computer Data AuthenticationFIPS PUB 113
  5. ^ Federal Information Processing Standards Publications, Withdrawn FIPS Listed by Number
  6. ^ The Keyed-Hash Message Authentication Code (HMAC)
  7. ^ Information technology — Security techniques — Message Authentication Codes (MACs) — Part 1: Mechanisms using a block cipherISO/IEC 9797-1
  8. ^ Information technology — Security techniques — Message Authentication Codes (MACs) — Part 2: Mechanisms using a dedicated hash-functionISO/IEC 9797-2
  9. ^

External links

  • RSA Laboratories entry on MACs
  • Ron Rivest lecture on MACs
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.

Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.