Skip to content Skip to navigation Skip to footer

What Is a Message Authentication Code?


Message Authentication Code (MAC) Defined

Message Authentication Code (MAC), also referred to as a tag, is used to authenticate the origin and nature of a message. MACs use authentication cryptography to verify the legitimacy of data sent through a network or transferred from one person to another. 

In other words, MAC ensures that the message is coming from the correct sender, has not been changed, and that the data transferred over a network or stored in or outside a system is legitimate and does not contain harmful code. MACs can be stored on a hardware security module, a device used to manage sensitive digital keys.

How Does a Message Authentication Code Work?

The first step in the MAC process is the establishment of a secure channel between the receiver and the sender. To encrypt a message, the MAC system uses an algorithm, which uses a symmetric key and the plain text message being sent. The MAC algorithm then generates authentication tags of a fixed length by processing the message. The resulting computation is the message's MAC.

This MAC is then appended to the message and transmitted to the receiver. The receiver computes the MAC using the same algorithm. If the resulting MAC the receiver arrives at equals the one sent by the sender, the message is verified as authentic, legitimate, and not tampered with.

In effect, MAC uses a secure key only known to the sender and the recipient. Without this information, the recipient will not be able to open, use, read, or even receive the data being sent. If the data is to be altered between the time the sender initiates the transfer and when the recipient receives it, the MAC information will also be affected. 

Therefore, when the recipient attempts to verify the authenticity of the data, the key will not work, and the end result will not match that of the sender. When this kind of discrepancy is detected, the data packet can be discarded, protecting the recipient’s system.

What Are the Types of Message Authentication Codes?

Although all MACs accomplish the same end objective, there are a few different types.

One-time MAC

A one-time MAC is a lot like one-time encryption in that a MAC algorithm for a single use is defined to secure the transmission of data. One-time MACs tend to be faster than other authentication algorithms.

Carter-Wegman MAC

A Carter-Wegman MAC is similar to a one-time MAC, except it also incorporates a pseudorandom function that makes it possible for a single key to be used many times over.


With a Keyed-Hash Message Authentication Code (HMAC) system, a one-way hash is used to create a unique MAC value for every message sent. The input parameters can have various values assigned, and making them very different from each other may produce a higher level of security.  

Approved Message Authentication Code Algorithms

The approved general-purpose MAC algorithms are HMAC, KECCAK Message Authentication Code (KMAC), and Cipher-based Method Authentication Code (CMAC). Message authentication in cryptography depends on hashes, which are used to verify the legitimacy of the transmission, ensuring the message has not been altered or otherwise corrupted since it was first transmitted by the sender.

Keyed-Hash Message Authentication Code (HMAC)

The HMAC is based on an approved hash function. It performs a function similar to that of the Rivest-Shamir-Adelman (RSA) cryptosystem, which is one of the oldest methods of sending data securely. The functions that can be used in HMAC are outlined in the following publications:

  1. FIPS 180-4, Secure Hash Standard
  2. FIPS 202, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions

Guidelines regarding HMAC’s security are outlined in NIST SP 800-107 Revision 1, Recommendation for Applications Using Approved Hash Algorithms.

KECCAK Message Authentication Code (KMAC)

KMACs consist of keyed cryptographic algorithms, and their parameters are specified in FIPS 202, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. Two variants of KECCAK exist: KMAC256 and KMAC128.

The CMAC Mode for Authentication

As outlined in SP 800-38B, Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication, CMAC is built using an approved block cipher, which is an algorithm that uses a symmetric encryption key, similar to the NIST’s Advanced Encryption Standard (AES), which also uses a symmetric key and was used to guard classified information by the U.S. government.

What Are the Benefits of Message Authentication Codes?

Protects Data Integrity

With MACs, you can make sure that unauthorized code, such as executable codes used by viruses, has not been put into your system. This is useful when trying to combat viruses and other malware.

Detects Changes in the Message Content

You can use an application to generate a MAC based on data that has been sent to you or provided via a storage device. After the application generates a MAC, it can be compared to the original one to detect changes to the data.

How Fortinet Can Help

With FortiGate next-generation firewall (NGFW), all your network traffic is filtered at a granular level, preventing unauthorized or malicious files from entering or exiting your system. FortiGate help you filter out data from unauthorized sources.

If a malicious actor that has been identified by FortiGuard, the intelligence system that powers FortiGate, inserted unauthorized messages, FortiGate prevents their data from getting into your system. Similarly, if the message was originally benevolent but was changed into something containing malicious code, FortiGate can detect the dangerous code and discard the data packet that carries it.