Message authentication code

The MAC value allows verifiers (who also possess a secret key) to detect any changes to the message content.

This implies that the sender and receiver of a message must agree on the same key before initiating communications, as is the case with symmetric encryption.

[citation needed] While the primary goal of a MAC is to prevent forgery by adversaries without knowledge of the secret key, this is insufficient in certain scenarios.

When an adversary is able to control the MAC key, stronger guarantees are needed, akin to collision resistance or preimage security in hash functions.

[9] Additionally, the MAC algorithm can deliberately combine two or more cryptographic primitives, so as to maintain protection even if one of them is later found to be vulnerable.

For instance, in Transport Layer Security (TLS) versions before 1.2, the input data is split in halves that are each processed with a different hashing primitive (SHA-1 and SHA-2) then XORed together to output the MAC.

These include: ISO/IEC 9797-1 and -2 define generic models and algorithms that can be used with any block cipher or hash function, and a variety of different parameters.

If they are identical, the receiver can safely assume that the message was not altered or tampered with during transmission (data integrity).

Otherwise an attacker could – without even understanding its content – record this message and play it back at a later time, producing the same result as the original sender.