In
cryptography
Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adver ...
, a message authentication code (MAC), sometimes known as a ''tag'', is a short piece of information used for
authenticating a message. In other words, to confirm that the message came from the stated sender (its authenticity) and has not been changed. The MAC value protects a message's
data integrity
Data integrity is the maintenance of, and the assurance of, data accuracy and consistency over its entire Information Lifecycle Management, life-cycle and is a critical aspect to the design, implementation, and usage of any system that stores, proc ...
, as well as its
authenticity
Authenticity or authentic may refer to:
* Authentication, the act of confirming the truth of an attribute
Arts and entertainment
* Authenticity in art, ways in which a work of art or an artistic performance may be considered authentic
Music
* A ...
, by allowing verifiers (who also possess the secret key) to detect any changes to the message content.
Terminology
The term message integrity code (MIC) is frequently substituted for the term ''MAC'', especially in communications to distinguish it from the use of the latter as ''
media access control address
A media access control address (MAC address) is a unique identifier assigned to a network interface controller (NIC) for use as a network address in communications within a network segment. This use is common in most IEEE 802 networking techno ...
'' (''MAC address''). However, some authors use MIC to refer to a
message digest
A cryptographic hash function (CHF) is a hash algorithm (a map of an arbitrary binary string to a binary string with fixed size of n bits) that has special properties desirable for cryptography:
* the probability of a particular n-bit output re ...
, which aims only to uniquely but opaquely identify a single message. RFC 4949 recommends avoiding the term ''message integrity code'' (MIC), and instead using ''
checksum
A checksum is a small-sized block of data derived from another block of digital data for the purpose of detecting errors that may have been introduced during its transmission or storage. By themselves, checksums are often used to verify data ...
'', ''
error detection code
In information theory and coding theory with applications in computer science and telecommunication, error detection and correction (EDAC) or error control are techniques that enable reliable delivery of digital data over unreliable commun ...
'', ''
hash'', ''keyed hash'', ''message authentication code'', or ''protected checksum''.
Definitions
Informally, a message authentication code system consists of three algorithms:
* A key generation algorithm selects a key from the key space uniformly at random.
* A signing algorithm efficiently returns a tag given the key and the message.
* A verifying algorithm efficiently verifies the authenticity of the message given the key and the tag. That is, return ''accepted'' when the message and tag are not tampered with or forged, and otherwise return ''rejected''.
A secure message authentication code must resist attempts by an adversary to
forge tags, for arbitrary, select, or all messages, including under conditions of
known- or
chosen-message. It should be computationally infeasible to compute a valid tag of the given message without knowledge of the key, even if for the worst case, we assume the adversary knows the tag of any message but the one in question.
Formally, a message authentication code (MAC) system is a triple of efficient
[Theoretically, an efficient algorithm runs within probabilistic polynomial time.] algorithms (''G'', ''S'', ''V'') satisfying:
* ''G'' (key-generator) gives the key ''k'' on input
1''n'', where ''n'' is the security parameter.
* ''S'' (signing) outputs a tag ''t'' on the key ''k'' and the input string ''x''.
* ''V'' (verifying) outputs ''accepted'' or ''rejected'' on inputs: the key ''k'', the string ''x'' and the tag ''t''.
''S'' and ''V'' must satisfy the following:
: Pr
''n''), ''V''( ''k'', ''x'', ''S''(''k'', ''x'') ) = ''accepted'' ">''k'' ← ''G''(1''n''), ''V''( ''k'', ''x'', ''S''(''k'', ''x'') ) = ''accepted'' = 1.
A MAC is unforgeable if for every efficient adversary ''A''
: Pr [ ''k'' ← ''G''(1
''n''), (''x'', ''t'') ← ''A''
''S''(''k'', · )(1
''n''), ''x'' ∉ Query(''A''
''S''(''k'', · ), 1
''n''), ''V''(''k'', ''x'', ''t'') = ''accepted''] < negl(''n''),
where ''A''
''S''(''k'', · ) denotes that ''A'' has access to the oracle ''S''(''k'', · ), and Query(''A''
''S''(''k'', · ), 1
''n'') denotes the set of the queries on ''S'' made by ''A'', which knows ''n''. Clearly we require that any adversary cannot directly query the string ''x'' on ''S'', since otherwise a valid tag can be easily obtained by that adversary.
Security
While MAC functions are similar to
cryptographic hash function
A cryptographic hash function (CHF) is a hash algorithm (a map of an arbitrary binary string to a binary string with fixed size of n bits) that has special properties desirable for cryptography:
* the probability of a particular n-bit output re ...
s, they possess different security requirements. To be considered secure, a MAC function must resist
existential forgery In a cryptographic digital signature or MAC system, digital signature forgery is the ability to create a pair consisting of a message, m, and a signature (or MAC), \sigma, that is valid for m, but has not been created in the past by the legitimate ...
under
chosen-message attacks. This means that even if an attacker has access to an
oracle
An oracle is a person or agency considered to provide wise and insightful counsel or prophetic predictions, most notably including precognition of the future, inspired by deities. As such, it is a form of divination.
Description
The word '' ...
which possesses the secret key and generates MACs for messages of the attacker's choosing, the attacker cannot guess the MAC for other messages (which were not used to query the oracle) without performing infeasible amounts of computation.
MACs differ from
digital signature
A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature, where the prerequisites are satisfied, gives a recipient very high confidence that the message was created b ...
s as MAC values are both generated and verified using the same secret key. This implies that the sender and receiver of a message must agree on the same key before initiating communications, as is the case with
symmetric encryption
Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both the encryption of plaintext and the decryption of ciphertext. The keys may be identical, or there may be a simple transformation to go between th ...
. For the same reason, MACs do not provide the property of
non-repudiation Non-repudiation refers to a situation where a statement's author cannot successfully dispute its authorship or the validity of an associated contract. The term is often seen in a legal setting when the authenticity of a signature is being challenged ...
offered by signatures specifically in the case of a network-wide
shared secret
In cryptography, a shared secret is a piece of data, known only to the parties involved, in a secure communication. This usually refers to the key of a symmetric cryptosystem. The shared secret can be a password, a passphrase, a big number, or a ...
key: any user who can verify a MAC is also capable of generating MACs for other messages. In contrast, a digital signature is generated using the private key of a key pair, which is public-key cryptography.
Since this private key is only accessible to its holder, a digital signature proves that a document was signed by none other than that holder. Thus, digital signatures do offer non-repudiation. However, non-repudiation can be provided by systems that securely bind key usage information to the MAC key; the same key is in the possession of two people, but one has a copy of the key that can be used for MAC generation while the other has a copy of the key in a
hardware security module
A hardware security module (HSM) is a physical computing device that safeguards and manages secrets (most importantly digital keys), performs encryption and decryption functions for digital signatures, strong authentication and other cryptograp ...
that only permits MAC verification. This is commonly done in the finance industry.
Implementation
MAC algorithms can be constructed from other cryptographic primitives, like
cryptographic hash function
A cryptographic hash function (CHF) is a hash algorithm (a map of an arbitrary binary string to a binary string with fixed size of n bits) that has special properties desirable for cryptography:
* the probability of a particular n-bit output re ...
s (as in the case of
HMAC
In cryptography, an HMAC (sometimes expanded as either keyed-hash message authentication code or hash-based message authentication code) is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret ...
) or from
block cipher
In cryptography, a block cipher is a deterministic algorithm operating on fixed-length groups of bits, called ''blocks''. Block ciphers are specified cryptographic primitive, elementary components in the design of many cryptographic protocols and ...
algorithms (
OMAC,
CCM,
GCM, and
PMAC). However many of the fastest MAC algorithms like
UMAC
In cryptography, a message authentication code based on universal hashing, or UMAC, is a type of message authentication code (MAC) calculated choosing a hash function from a class of hash functions according to some secret (random) process and ap ...
-
VMAC
VMAC is a block cipher-based message authentication code (MAC) algorithm using a universal hash proposed by Ted Krovetz and Wei Dai in April 2007. The algorithm was designed for high performance backed by a formal analysis.
VMAC is designed to h ...
and
Poly1305-AES are constructed based on
universal hashing
In mathematics and computing, universal hashing (in a randomized algorithm or data structure) refers to selecting a hash function at random from a family of hash functions with a certain mathematical property (see definition below). This guarantees ...
.
Intrinsically keyed hash algorithms such as
SipHash
SipHash is an add–rotate–xor (ARX) based family of pseudorandom functions created by Jean-Philippe Aumasson and Daniel J. Bernstein in 2012, in response to a spate of "hash flooding" denial-of-service attacks (HashDoS) in late 2011.
Althou ...
are also by definition MACs; they can be even faster than universal-hashing based MACs.
Additionally, the MAC algorithm can deliberately combine two or more cryptographic primitives, so as to maintain protection even if one of them is later found to be vulnerable. For instance, in
Transport Layer Security
Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securi ...
(TLS), the
input data
In computing, input/output (I/O, or informally io or IO) is the communication between an information processing system, such as a computer, and the outside world, possibly a human or another information processing system. Information, Inputs are ...
is split in halves that are each processed with a different hashing primitive (
SHA-1
In cryptography, SHA-1 (Secure Hash Algorithm 1) is a cryptographically broken but still widely used hash function which takes an input and produces a 160-bit (20-byte) hash value known as a message digest – typically rendered as 40 hexadecima ...
and
SHA-2
SHA-2 (Secure Hash Algorithm 2) is a set of cryptographic hash functions designed by the United States National Security Agency (NSA) and first published in 2001. They are built using the Merkle–Damgård construction, from a one-way compression ...
) then
XORed
Exclusive or or exclusive disjunction is a Logical connective, logical operation that is true if and only if its arguments differ (one is true, the other is false).
It is Table of logic symbols, symbolized by the prefix operator J and by the ...
together to output the MAC.
One-time MAC
Universal hashing
In mathematics and computing, universal hashing (in a randomized algorithm or data structure) refers to selecting a hash function at random from a family of hash functions with a certain mathematical property (see definition below). This guarantees ...
and in particular
pairwise independent In probability theory, a pairwise independent collection of random variables is a set of random variables any two of which are independent. Any collection of mutually independent random variables is pairwise independent, but some pairwise indepen ...
hash functions provide a secure message authentication code as long as the key is used at most once. This can be seen as the
one-time pad
In cryptography, the one-time pad (OTP) is an encryption technique that cannot be cracked, but requires the use of a single-use pre-shared key that is not smaller than the message being sent. In this technique, a plaintext is paired with a ran ...
for authentication.
The simplest such pairwise independent hash function is defined by the random key, , and the MAC tag for a message ''m'' is computed as , where ''p'' is prime.
More generally,
''k''-independent hashing functions provide a secure message authentication code as long as the key is used less than ''k'' times for ''k''-ways independent hashing functions.
Message authentication codes and data origin authentication have been also discussed in the framework of quantum cryptography. By contrast to other cryptographic tasks, such as key distribution, for a rather broad class of quantum MACs it has been shown that quantum resources do not offer any advantage over unconditionally secure one-time classical MACs.
Standards
Various standards exist that define MAC algorithms. These include:
* FIPS PUB 113 ''Computer Data Authentication'', withdrawn in 2002, defines an algorithm based on
DES
Des is a masculine given name, mostly a short form (hypocorism) of Desmond. People named Des include:
People
* Des Buckingham, English football manager
* Des Corcoran, (1928–2004), Australian politician
* Des Dillon (disambiguation), sever ...
.
* FIPS PUB 198-1 ''The Keyed-Hash Message Authentication Code (HMAC)''
* NIST SP800-185 ''SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash''
*
ISO/IEC 9797-1
ISO/IEC 9797-1 ''Information technology – Security techniques – Message Authentication Codes (MACs) – Part 1: Mechanisms using a block cipher'' is an international standard that defines methods for calculating a message authentication code ...
''Mechanisms using a block cipher''
*
ISO
ISO is the most common abbreviation for the International Organization for Standardization.
ISO or Iso may also refer to: Business and finance
* Iso (supermarket), a chain of Danish supermarkets incorporated into the SuperBest chain in 2007
* Iso ...
/IEC 9797-2 ''Mechanisms using a dedicated hash-function''
*
ISO
ISO is the most common abbreviation for the International Organization for Standardization.
ISO or Iso may also refer to: Business and finance
* Iso (supermarket), a chain of Danish supermarkets incorporated into the SuperBest chain in 2007
* Iso ...
/IEC 9797-3 ''Mechanisms using a universal hash-function''
*
ISO
ISO is the most common abbreviation for the International Organization for Standardization.
ISO or Iso may also refer to: Business and finance
* Iso (supermarket), a chain of Danish supermarkets incorporated into the SuperBest chain in 2007
* Iso ...
/IEC 29192-6 ''Lightweight cryptography - Message authentication codes''
ISO/IEC 9797-1 and -2 define generic models and algorithms that can be used with any block cipher or hash function, and a variety of different parameters. These models and parameters allow more specific algorithms to be defined by nominating the parameters. For example, the FIPS PUB 113 algorithm is functionally equivalent to ISO/IEC 9797-1 MAC algorithm 1 with padding method 1 and a block cipher algorithm of DES.
An example of MAC use
In this example, the sender of a message runs it through a MAC algorithm to produce a MAC data tag. The message and the MAC tag are then sent to the receiver. The receiver in turn runs the message portion of the transmission through the same MAC algorithm using the same key, producing a second MAC data tag. The receiver then compares the first MAC tag received in the transmission to the second generated MAC tag. If they are identical, the receiver can safely assume that the message was not altered or tampered with during transmission (
data integrity
Data integrity is the maintenance of, and the assurance of, data accuracy and consistency over its entire Information Lifecycle Management, life-cycle and is a critical aspect to the design, implementation, and usage of any system that stores, proc ...
).
However, to allow the receiver to be able to detect
replay attack
A replay attack (also known as a repeat attack or playback attack) is a form of network attack in which valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary wh ...
s, the message itself must contain data that assures that this same message can only be sent once (e.g. time stamp,
sequence number or use of a
one-time MAC). Otherwise an attacker could – without even understanding its content – record this message and play it back at a later time, producing the same result as the original sender.
See also
*
Checksum
A checksum is a small-sized block of data derived from another block of digital data for the purpose of detecting errors that may have been introduced during its transmission or storage. By themselves, checksums are often used to verify data ...
*
CMAC
*
HMAC
In cryptography, an HMAC (sometimes expanded as either keyed-hash message authentication code or hash-based message authentication code) is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret ...
(hash-based message authentication code)
*
MAA
*
MMH-Badger MAC
Badger is a Message Authentication Code (MAC) based on the idea of universal hashing and was developed by Boesgaard, Scavenius, Pedersen, Christensen, and Zenner. It is constructed by strengthening the ∆-universal hash family MMH using an ϵ-al ...
*
Poly1305
Poly1305 is a universal hash family designed by Daniel J. Bernstein for use in cryptography.
As with any universal hash family, Poly1305 can be used as a one-time message authentication code to authenticate a single message using a key shared ...
*
Authenticated encryption
Authenticated Encryption (AE) and Authenticated Encryption with Associated Data (AEAD) are forms of encryption which simultaneously assure the confidentiality and authenticity of data.
Programming interface
A typical application programming in ...
*
UMAC
In cryptography, a message authentication code based on universal hashing, or UMAC, is a type of message authentication code (MAC) calculated choosing a hash function from a class of hash functions according to some secret (random) process and ap ...
*
VMAC
VMAC is a block cipher-based message authentication code (MAC) algorithm using a universal hash proposed by Ted Krovetz and Wei Dai in April 2007. The algorithm was designed for high performance backed by a formal analysis.
VMAC is designed to h ...
*
SipHash
SipHash is an add–rotate–xor (ARX) based family of pseudorandom functions created by Jean-Philippe Aumasson and Daniel J. Bernstein in 2012, in response to a spate of "hash flooding" denial-of-service attacks (HashDoS) in late 2011.
Althou ...
*
KMAC
Notes
References
*
*
*
[11-12-20C8]
External links
RSA Laboratories entry on MACsRon Rivest lecture on MACs
{{Authority control
Message authentication codes
Error detection and correction