Processing message authentication code

The process of verifying the integrity and authenticity of transmitted messages is called message authentication.

Message authentication code (MAC) processing allows you to verify that a message was not altered or a message was not fraudulently introduced onto the system. You can check that a message you have received is the same one sent by the message originator. The message itself can be in clear or encrypted form. The comparison is performed within the cryptographic coprocessor. Because both the sender and receiver share a secret cryptographic key used in the MAC calculation, the MAC comparison also ensures the authenticity of the message.

In a similar manner, MACs can be used to ensure the integrity of data stored on the system or on removable media, such as tape.

CCA key typing makes it possible to give one party a key that can only be used to generate a MAC, and to give another party a corresponding key that can only be used to verify the MAC. This ensures that the second party cannot impersonate the first by generating MACs with their version of the key.

The coprocessor provides support for both single-length and double-length MAC generation and MAC verification keys. With the ANSI X9.9-1 single key algorithm, use the single-length MAC and MACVER keys.

CCA provides support for the use of data-encrypting keys in the MAC Generate and MAC Verify verbs, and also the use of a MAC generation key in the MAC Verify verb. This support permits CCA MAC verbs to interface more smoothly with non-CCA key distribution system.

HMAC codes are computed using the FIPS-198 Keyed-Hash Message Authentication Code method. See Verifying data integrity and authenticating messages.