A MAC signature is a cryptographic output used to verify the integrity and authenticity of data. A MAC signature algorithm lets you perform two distinct operations:
A signing operation, which uses a signing key to produce a MAC signature over raw data.
A verification operation, where the authenticity of the message can be validated given the signing key and the MAC tag to be verified.
There are two main purposes of a MAC signature:
- Verify the integrity of the signed data.
- Verify the authenticity of the message.
While the purpose of MAC signatures is similar to that of digital signatures, MAC signatures rely on symmetric cryptography. MAC tags are generated and verified using the same secret key. The sender and the receiver of a message must both have the same key to use MAC signatures.
Example use case for a MAC signature
MAC algorithms like keyed-hash message authentication code (HMAC) are an excellent file transfer data integrity-checking mechanism because of their efficiency. Hash functions can take a message of arbitrary length and transform it into a fixed-length digest, thus maximizing bandwidth usage.
MAC signing workflow
The following describes the flow for creating and validating a signature. The two participants in this workflow consist of the signer of data, and the data recipient.
The signer and the recipient agree on using a specific, shared MAC key.
Both can use this key to create or verify MAC signatures.
The signer performs a sign operation over the data to compute a MAC tag.
The signer provides the data and the MAC tag to the data recipient.
The recipient uses the shared MAC key to verify the MAC signature. If verification is unsuccessful, then the data has been altered.
Signing algorithms
Cloud Key Management Service only supports keyed-hash message authentication code (HMAC) algorithms for MAC signing. HMAC algorithms use cryptographic hash functions, such as SHA-2 or SHA-3, to compute the MAC tag. The strength of the HMAC function depends on the strength of the hash function, the size of the hash output, and the size of the key. For more information about HMAC signing algorithms, see HMAC signing algorithms.
Limitations
When using Cloud KMS for MAC signatures, the maximum file size is 16 KiB for Cloud HSM keys and 64 KiB for all other keys.What's next
- Learn about HMAC signing algorithms.
- Create a key with the
MAC
key purpose and an HMAC signing algorithm. - Create a MAC signature using an existing
MAC
key with a message. - Verify a MAC signature using an existing
MAC
key with a message and its signature.