MAC signatures

A MAC signature is a cryptographic output used to verify the integrity and authenticity of data. A MAC signature algorithm lets you perform two distinct operations:

• A signing operation, which uses a signing key to produce a MAC signature over raw data.

• A verification operation, where the authenticity of the message can be validated given the signing key and the MAC tag to be verified.

There are two main purposes of a MAC signature:

• Verify the integrity of the signed data.
• Verify the authenticity of the message.

While the purpose of MAC signatures is similar to that of digital signatures, MAC signatures rely on symmetric cryptography. MAC tags are generated and verified using the same secret key. The sender and the receiver of a message must both have the same key to use MAC signatures.

Example use case for a MAC signature

MAC algorithms like keyed-hash message authentication code (HMAC) are an excellent file transfer data integrity-checking mechanism because of their efficiency. Hash functions can take a message of arbitrary length and transform it into a fixed-length digest, thus maximizing bandwidth usage.

MAC signing workflow

The following describes the flow for creating and validating a signature. The two participants in this workflow consist of the signer of data, and the data recipient.

1. The signer and the recipient agree on using a specific, shared MAC key.

   Both can use this key to create or verify MAC signatures.

2. The signer performs a sign operation over the data to compute a MAC tag.

3. The signer provides the data and the MAC tag to the data recipient.

4. The recipient uses the shared MAC key to verify the MAC signature. If verification is unsuccessful, then the data has been altered.

Signing algorithms

Cloud Key Management Service only supports keyed-hash message authentication code (HMAC) algorithms for MAC signing. HMAC algorithms use cryptographic hash functions, such as SHA-2 or SHA-3, to compute the MAC tag. The strength of the HMAC function depends on the strength of the hash function, the size of the hash output, and the size of the key. For more information about HMAC signing algorithms, see HMAC signing algorithms.

Limitations

When using Cloud KMS to create or verify MAC signatures, the following limitations apply:

• When using Cloud HSM keys, the maximum size of the file to be signed is 16 KiB.

• For all other keys, the maximum size of the file to be signed is 64 KiB.

What's next

• Learn about HMAC signing algorithms.
• Create a key with the MAC key purpose and an HMAC signing algorithm.
• Create a MAC signature using an existing MAC key with a message.
• Verify a MAC signature using an existing MAC key with a message and its signature.