Message Authentication Code (MAC)
Stay organized with collections
Save and categorize content based on your preferences.
The MAC primitive lets you to verify that no one has tampered with your data.
A sender sharing a symmetric key with a recipient can compute an
authentication tag for a given message, which allows the recipient to verify
that a message is from the expected sender and has not been modified.
MAC has the following properties:
- Authenticity: Knowing the key is the only way to create a verifiable MAC
tag.
- Symmetric: Computing and verifying the tag requires the same key.
MAC can be deterministic or randomized, depending on the algorithm. Tink does
not implement non-deterministic MAC algorithms at the moment. You should use MAC
only for message authentication, not for other purposes like generation of
pseudorandom bytes (for that, see PRF).
If you need an asymmetric primitive instead, see Digital
Signature.
Choose a key type
We recommend using HMAC_SHA256 for most uses, but there are other options as
well.
In general, the following holds true:
Minimal security guarantees
- At least 80-bit authentication strength
- Secure against existential forgery under chosen plaintext attack
- At least 128-bit security against key recovery attacks, and also in
multi-user scenarios (when an attacker is not targeting a specific key, but
any key from a set of up to 232 keys)
Example use case
See I want to protect data from tampering.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-06-02 UTC.
[null,null,["Last updated 2025-06-02 UTC."],[[["\u003cp\u003eThe Message Authentication Code (MAC) primitive, using a shared symmetric key, enables verification of data integrity and authenticity by generating an authentication tag.\u003c/p\u003e\n"],["\u003cp\u003eMAC ensures authenticity as only the key holder can create a verifiable tag, and it's symmetric, requiring the same key for both computation and verification.\u003c/p\u003e\n"],["\u003cp\u003eTink recommends HMAC_SHA256 for most use cases, while HMAC_SHA512 offers higher security and AES256_CMAC might provide better performance with specific hardware.\u003c/p\u003e\n"],["\u003cp\u003eTink's MAC implementation guarantees a minimum of 80-bit authentication strength, protection against forgery, and at least 128-bit security against key recovery attacks, even in multi-user environments.\u003c/p\u003e\n"]]],["MAC uses a shared symmetric key between sender and recipient to verify message authenticity and integrity. The sender computes an authentication tag for a message, which the recipient uses to confirm its origin and unaltered state. MAC guarantees authenticity, where only key holders can create verifiable tags. Key recommendations include HMAC_SHA256, HMAC_SHA512 (most conservative), and AES256_CMAC (fastest with AES-NI). MAC is designed solely for message authentication, offering a minimum of 80-bit authentication strength.\n"],null,["# Message Authentication Code (MAC)\n\nThe MAC primitive lets you to verify that no one has tampered with your data.\nA sender sharing a *symmetric key* with a recipient can compute an\n*authentication tag* for a given message, which allows the recipient to verify\nthat a message is from the expected sender and has not been modified.\n\nMAC has the following properties:\n\n- **Authenticity**: Knowing the key is the only way to create a verifiable MAC tag.\n- **Symmetric**: Computing and verifying the tag requires the same key.\n\nMAC can be deterministic or randomized, depending on the algorithm. Tink does\nnot implement non-deterministic MAC algorithms at the moment. You should use MAC\nonly for message authentication, not for other purposes like generation of\npseudorandom bytes (for that, see [PRF](/tink/prf)).\n\nIf you need an asymmetric primitive instead, see [Digital\nSignature](/tink/digital-signature).\n\n### Choose a key type\n\nWe recommend using **HMAC_SHA256** for most uses, but there are other options as\nwell.\n\nIn general, the following holds true:\n\n- HMAC_SHA512 may or may not be faster depending on your message size and the specifics of the hardware you use.\n- HMAC_SHA512 is the most conservative mode that can be used for practically unlimited number of messages.\n- AES256_CMAC is fastest on systems that support the [AES-NI](https://www.intel.com/content/www/us/en/developer/articles/technical/advanced-encryption-standard-instructions-aes-ni.html) hardware\n acceleration.\n\n | **Note:** Tink doesn't offer AES128_CMAC because it doesn't offer 128-bit security in multi-user scenarios.\n\n### Minimal security guarantees\n\n- At least 80-bit authentication strength\n- Secure against existential forgery under chosen plaintext attack\n- At least 128-bit security against key recovery attacks, and also in multi-user scenarios (when an attacker is not targeting a specific key, but any key from a set of up to 2^32^ keys)\n\n### Example use case\n\nSee [I want to protect data from tampering](/tink/protect-data-from-tampering)."]]
