Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Message authentication code
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Security== While MAC functions are similar to [[cryptographic hash function]]s, they possess different security requirements. To be considered secure, a MAC function must resist [[existential forgery]] under [[Digital signature forgery|chosen-message attack]]s. This means that even if an attacker has access to an [[oracle machine|oracle]] which possesses the secret key and generates MACs for messages of the attacker's choosing, the attacker cannot guess the MAC for other messages (which were not used to query the oracle) without performing infeasible amounts of computation. MACs differ from [[digital signature]]s as MAC values are both generated and verified using the same secret key. This implies that the sender and receiver of a message must agree on the same key before initiating communications, as is the case with [[symmetric encryption]]. For the same reason, MACs do not provide the property of [[non-repudiation]] offered by signatures specifically in the case of a network-wide [[shared secret]] key: any user who can verify a MAC is also capable of generating MACs for other messages. In contrast, a digital signature is generated using the private key of a key pair, which is public-key cryptography.<ref name=":1" /> Since this private key is only accessible to its holder, a digital signature proves that a document was signed by none other than that holder. Thus, digital signatures do offer non-repudiation. However, non-repudiation can be provided by systems that securely bind key usage information to the MAC key; the same key is in the possession of two people, but one has a copy of the key that can be used for MAC generation while the other has a copy of the key in a [[hardware security module]] that only permits MAC verification. This is commonly done in the finance industry.{{citation needed|date=February 2013}} {{see also|Key commitment}} While the primary goal of a MAC is to prevent forgery by adversaries without knowledge of the secret key, this is insufficient in certain scenarios. When an adversary is able to control the MAC key, stronger guarantees are needed, akin to [[collision resistance]] or [[Preimage attack|preimage security]] in hash functions. For MACs, these concepts are known as ''commitment'' and ''context-discovery'' security.<ref>{{Cite book |last1=Bhaumik |first1=Ritam |last2=Chakraborty |first2=Bishwajit |last3=Choi |first3=Wonseok |last4=Dutta |first4=Avijit |last5=Govinden |first5=JΓ©rΓ΄me |last6=Shen |first6=Yaobin |chapter=The Committing Security of MACs with Applications to Generic Composition |series=Lecture Notes in Computer Science |date=2024 |volume=14923 |editor-last=Reyzin |editor-first=Leonid |editor2-last=Stebila |editor2-first=Douglas |title=Advances in Cryptology β CRYPTO 2024 |chapter-url=https://link.springer.com/chapter/10.1007/978-3-031-68385-5_14 |language=en |location=Cham |publisher=Springer Nature Switzerland |pages=425β462 |doi=10.1007/978-3-031-68385-5_14 |isbn=978-3-031-68385-5}}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)