Exchanging Sensitive Information Using Message Authentication Code


When exchanging sensitive information, the receiver must have the assurance that the message has come intact from the intended sender. Protecting the validity and accuracy of data or message exchanged ensures confidence in making key informed decisions.

Nowadays in messaging apps like Telegram, the messages can be edited by the user. Hence the receiver should not completely rely on it. Let’s see the following example to understand it better.

Say Bob and Sasha are having a conversation in Telegram and agree on a certain action. What if Sasha took the action and later Bob changes(or edits) the content of the original message. Now he denies such a condition was agreed between them.

So how do we ensure that the messages exchanged between Bob and Sasha are intact and unaltered between updates?

One of the ways to achieve this is to use the MAC algorithm. MAC is based on symmetric key cryptographic techniques to provide message authentication. Message Authentication Code (MAC) is the process to check the authentication of a message. In other words, to confirm that the message came from the expected sender and the contents of the message have not been changed.

Let’s understand how exchanging sensitive information can be done using MAC:

Generate MAC value and Send to the recipient.

The sender uses a publicly known MAC algorithm, inputs the message and the secret key K to produce a MAC value. The sender forwards the message along with the MAC to the intended recipient.

Re-compute MAC value

On the receipt of the message and the MAC, the receiver feeds the received message and the shared secret key K into the MAC algorithm and re-computes the MAC value.

Compare results

The receiver now checks the freshly computed MAC with the MAC received from the sender. If they match, then the receiver assures that the message has been sent by the intended sender. If the computed MAC does not match the MAC sent by the sender, the receiver safely assumes that the message is not genuine or altered and therefore, ignores it.

Try out the MAC generator algorithm yourself here: https://www.freeformatter.com/hmac-generator.html

Limitations of Message Authentication Code:

There are two major limitations of MAC, both due to its symmetric nature of the operation:

  • Establishment of a shared secret:
    The users are at the risk of using insecure communication channels to establish or share the secret key.
  • Inability to provide non-repudiation:
    Non-repudiation is the assurance that a message originator cannot deny any previously sent messages and commitments or actions. The common knowledge of secret key makes it impossible to determine which of the involved parties originally computed the MAC. Therefore, MACs cannot provide proof that a message was indeed sent by the sender.

    Lets’s say Sasha receives a box from Bob which has a combination lock. The key code to unlocking the box is only known to Bob and Sasha. Once Sasha receives the box, She uses the key to unlock the box and sees the content inside the box.

    Since the box opened with the key, therefore Sasha assumes that box came for Bob. However, Sasha can’t prove to the third party that the box came from Bob. Bob can deny the claim of sending the box. Therefore this arrangement is not non-reputable.

Digital signatures overcome these limitations. Discussed in our post- Digital Signatures and Use in Blockchain‘.


  • July 15, 2019