The process of verifying the integrity and authenticity of transmitted messages is called message authentication. Message authentication code (MAC) processing allows you to verify that a message was not altered or a message was not fraudulently introduced onto the system. You can check that a message you have received is the same one sent by the message originator. The message itself may be in clear or encrypted form. The comparison is performed within the cryptographic feature. Since both the sender and receiver share a secret cryptographic key used in the MAC calculation, the MAC comparison also ensures the authenticity of the message.

In a similar manner, MACs can be used to ensure the integrity of data stored on the system or on removable media, such as tape.

ICSF provides support for both single-length and double-length MAC generation and MAC verification keys. With the ANSI X9.9-1 single key algorithm, use the single-length MAC and MACVER keys.

ICSF provides support for the use of data-encrypting keys in the MAC generation and verification callable services, and also the use of a MAC generation key in the MAC verification callable service. This support permits ICSF MAC services to interface more smoothly with non-CCA key distribution system, including those implementing the ANSI X9.17 protocol.

HMAC Generation Callable Service (CSNBHMG or CSNBHMG1 and CSNEHMG or CSNEHMG1)

When a message is sent, an application program can generate an authentication code for it using the HMAC generation callable service. The callable service computes the message authentication code using FIPS-198 Keyed-Hash Message Authentication Code method.

HMAC Verification Callable Service (CSNBHMV or CSNBHMV1 and CSNEHMV or CSNEHMV1)

When the receiver gets the message, an application program calls the HMAC verification callable service. The callable service verifies a MAC by generating another MAC and comparing it with the MAC received with the message. If the two codes are the same, the message sent was the same one received. A return code indicates whether the MACs are the same.

The MAC verification callable service can use FIPS-198 Keyed-Hash Message Authentication Code method.

MAC Generation Callable Service (CSNBMGN or CSNBMGN1 and CSNEMGN or CSNEMGN1)

When a message is sent, an application program can generate an authentication code for it using the MAC generation callable service. The callable service computes the message authentication code using one of these methods:

• Using the ANSI X9.9-1 single key algorithm, a single-length MAC generation key or data-encrypting key, and the message text.
• Using the ANSI X9.19 optional double key algorithm, a double-length MAC generation key and the message text.
• Using Europay, MasterCard and Visa (EMV) padding rules with a single-length MAC key or double-length MAC key and the message text.
• Using ISO 16609 algorithm with a double-length MAC or a double-length DATA key and the message text.

ICSF allows a MAC to be the leftmost 32 or 48 bits of the last block of the ciphertext or the entire last block (64 bits) of the ciphertext. The originator of the message sends the message authentication code with the message text.

MAC Verification Callable Service (CSNBMVR or CSNBMVR1 and CSNEMVR or CSNEMVR1)

When the receiver gets the message, an application program calls the MAC verification callable service. The callable service verifies a MAC by generating another MAC and comparing it with the MAC received with the message. If the two codes are the same, the message sent was the same one received. A return code indicates whether the MACs are the same.

The MAC verification callable service can use either of these methods to generate the MAC for authentication:

• The ANSI X9.9-1 single key algorithm, a single-length MAC verification or MAC generation key (or a data-encrypting key), and the message text.
• The ANSI X9.19 optional double key algorithm, a double-length MAC verification or MAC generation key and the message text.
• Using Europay, MasterCard and Visa (EMV) padding rules with a single-length MAC key or double-length MAC key and the message text.
• Using ISO 16609 algorithm with a double-length MAC or a double-length DATA key and the message text.

The method used to verify the MAC should correspond with the method used to generate the MAC.

Symmetric MAC Generate Callable Service (CSNBSMG, CSNBSMG1, CSNESMG and CSNESMG1)

This service supports generating a MAC using a clear AES key. The algorithms supported are CBC-MAC and XCBC-MAC (AES-XCBC-MAC-96 and AES-XCBC-PRF-128)

Symmetric MAC Verify Callable Service (CSNBSMV, CSNBSMV1, CSNESMV and CSNESMV1)

This service supports verifying a MAC using a clear AES key. The algorithms supported are CBC-MAC and XCBC-MAC (AES-XCBC-MAC-96 and AES-XCBC-PRF-128)