The MAC primitive lets you verify that no one tampers with your data. A sender sharing a symmetric key with a recipient can compute an authentication tag for a given message, which allows the recipient to verify that a message is from the expected sender and has not been modified.
MAC has the following properties:
- Authenticity: Knowing the key is the only way to create a verifiable MAC tag.
- Symmetric: Computing and verifying the tag requires the same key.
MAC can be deterministic or randomized, depending on the algorithm. Tink does not implement non-deterministic MAC algorithms at the moment. You should use MAC only for message authentication, not for other purposes like generation of pseudorandom bytes (for that, see PRF).
If you need an asymmetric primitive instead, see Digital Signature.
Choose a key type
We recommend using HMAC_SHA256 for most uses, but there are other options as well.
In general, the following holds true:
- HMAC_SHA512 may or may not be faster depending on your message size and the specifics of the hardware you use.
- HMAC_SHA512 is the most conservative mode that can be used for practically unlimited number of messages.
AES256_CMAC is fastest on systems that support the AES-NI hardware acceleration.
Minimal security guarantees
- At least 80-bit authentication strength
- Secure against existential forgery under chosen plaintext attack
- At least 128-bit security against key recovery attacks, and also in multi-user scenarios (when an attacker is not targeting a specific key, but any key from a set of up to 232 keys)