Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.
Training Camp • Cybersecurity Glossary
Verifying a message's integrity and origin using MACs or digital signatures, proving it wasn't altered and came from a trusted sender.
Message Authentication Definition: Verifying a message's integrity and origin using MACs or digital signatures, proving it wasn't altered and came from a trusted sender.
Message authentication is the security service that verifies a message has not been altered in transit and genuinely originates from the claimed sender. It provides two assurances at once, data integrity (the content is unchanged) and authenticity (the source is who it claims to be), protecting communications from tampering and forgery.
The primary mechanism is the Message Authentication Code (MAC), a short cryptographic tag computed from the message and a secret key shared between sender and receiver. HMAC, defined in RFC 2104, is the most common construction, combining a hash function such as SHA-256 with the shared key. The sender appends the MAC; the receiver recomputes it and compares. Any change to the message, or an attacker without the key, produces a mismatch. Digital signatures provide the same protections using asymmetric keys and additionally deliver non-repudiation, which symmetric MACs cannot.
Message authentication matters because confidentiality alone is not enough, encrypted data can still be corrupted or replayed, and an attacker might inject forged messages. Without authentication, a recipient cannot trust that instructions, transactions, or updates are legitimate and intact. It is foundational to secure protocols: TLS, IPsec, and SSH all use MACs to protect each record or packet, and authenticated encryption (AEAD) modes like AES-GCM combine encryption with built-in message authentication.
For example, an API uses HMAC-SHA256 to authenticate requests. The client computes a MAC over the request body using a shared secret and sends it in a header. The server recomputes the MAC with its copy of the secret; if an attacker tampered with the payload in transit or lacks the secret, the recomputed tag will not match and the server rejects the request, blocking both tampering and forgery.
Message Authentication is one of the topics you'll master in the Security+ Boot Camp.
Security+ Boot Camp →