Message Authentication Code

MAC (Message Authentication Code) is a cryptographic checksum used to authenticate a message by allowing verifiers to detect any changes to the message content. It requires same secret key known only to the message originator and its intended recipient(s). This allows the message recipient to verify the message data integrity and authenticate that the message’s sender has the shared secret key. If a sender doesn’t know the secret key, the hash value would then be different, which would tell the recipient that the message was not from the original sender.

Four types of MACs

• Unconditionally secure

• Hash function-based

• Stream cipher-based

• Block cipher-based

Below are the widely used algorithms in cards & payments industry :

• Block cipher-based algorithm like Triple DES (3DES), AES-256, etc

• Hash function-based (HMAC) algorithm like HMAC_SHA256, HMAC_SHA1, etc


While Message Authentication Code(MAC) functions are similar to cryptographic hash functions, they possess different security requirements. To be considered secure, a MAC function must resist existential forgery under chosen-plaintext attacks. This means that even if an attacker has access to an oracle which possesses the secret key and generates MACs for messages of the attacker’s choosing, the attacker cannot guess the MAC for other messages (which were not used to query the oracle) without performing infeasible amounts of computation. MACs differ from digital signatures as MAC values are both generated and verified using the same secret key. This implies that the sender and receiver of a message must agree on the same key before initiating communications, as is the case with symmetric encryption. For the same reason, MACs do not provide the property of non-repudiation offered by signatures specifically in the case of a network-wide shared secret key: any user who can verify a MAC is also capable of generating MACs for other messages. In contrast, a digital signature is generated using the private key of a key pair, which is public-key cryptography. Since this private key is only accessible to its holder, a digital signature proves that a document was signed by none other than that holder. Thus, digital signatures do offer non-repudiation. However, non-repudiation can be provided by systems that securely bind key usage information to the MAC key; the same key is in the possession of two people, but one has a copy of the key that can be used for MAC generation while the other has a copy of the key in a hardware security module that only permits MAC verification.

Related Articles:

StriveBlue Home | Health-Choomandrakaali

Post Author: Tech Siddha