Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.

Global Accelerated Learning • Est. 1999
Glossary Term Message Authentication Code (MAC)

Training Camp • Cybersecurity Glossary

What is Message Authentication Code (MAC)?

A short cryptographic tag computed from a message and a shared secret key that verifies both data integrity and authenticity (e.g., HMAC).

Glossary > Cryptography & PKI > Message Authentication Code (MAC)

Message Authentication Code (MAC) — A short cryptographic tag computed from a message and a shared secret key that verifies

Understanding Message Authentication Code (MAC)

A Message Authentication Code (MAC) is a short cryptographic tag generated from a message and a shared secret key. A recipient holding the same key recomputes the tag and compares it, verifying both that the data was not altered (integrity) and that it came from a party knowing the key (authenticity). Because the key is symmetric, MACs do not provide non-repudiation.

The sender feeds the message and secret key into a MAC algorithm, appends the resulting fixed-length tag, and transmits both. The receiver recomputes the tag over the received message with the same key; a mismatch reveals tampering or a wrong key. Common constructions include HMAC (hash-based, FIPS 198-1), CMAC (cipher-based, NIST SP 800-38B), and GMAC (from GCM). ISO/IEC 9797 also defines MAC schemes.

MACs protect the integrity and origin of data in transit and at rest, underpinning protocols like TLS, IPsec, and SSH. Without a MAC, an attacker who can modify traffic could alter messages undetected, and a receiver could not distinguish legitimate senders from forgers. A critical detail is that verification must use constant-time comparison; a naive byte-by-byte check can leak timing information that lets an attacker forge tags. MACs differ from plain hashes (no key) and from digital signatures (asymmetric, with non-repudiation).

For example, a payments system might attach an HMAC-SHA256 tag to every transaction message using a key shared with the processor. If a man-in-the-middle changes the transfer amount, the recomputed HMAC will not match the appended one, and the processor rejects the message, ensuring transaction details are both unmodified and from an authorized sender.

Learn More About Message Authentication Code (MAC):

Ready to Get Certified?

Message Authentication Code (MAC) is one of the topics you'll master in the Security+ Boot Camp.

Security+ Boot Camp →