MAC Modes↑
A message authentication code (MAC) is intended to provide evidence that a message contains the content the sender intended and has not been tampered with. This could be achieved using symmetric or asymmetric cryptography, but typically, when one speaks of a MAC, one implies use of symmetric key cryptography, while “digital signature” implies the use of asymmetric crypto.
Constructing Message Authentication Codes↑
There are two common ways to construct a MAC: use a block cipher in a particular mode of operation, or use a hash function (HMAC). Both can give good security if used correctly. Note that it is important the key used for the MAC is not used for any other operation (like encryption). However, when constructing an HMAC, it is not necessary for the hash function to be collision-resistant.
In the table below we give a number of block cipher MAC modes available in common APIs and their security properties. Ideally, we would like MAC modes to be secure for any length of message, but as we see in the table, some common modes are only secure if all messages are the same length.
| MAC Mode | Security for fixed length messages | Security for variable length messages |
|---|---|---|
| Raw CBC MAC | ✓ | × |
| CMAC | ✓ | ✓ |
| GMAC | ✓ | ✓ |
Finally, note that “Raw CBC mode” is interpreted to mean several slightly different modes, many of which have been historically widely used in the financial sector, and not all of which are secure even for fixed-length messages. They vary in the details of padding, tag size and other details. The definitive reference is Phil Rogaway’s block cipher mode survey - and in particular the table on page 73.