Stay organized with collections
Save and categorize content based on your preferences.
A MAC signature is a cryptographic output used to verify the integrity and
authenticity of data. A MAC signature algorithm lets you perform two distinct
operations:
A signing operation, which uses a signing key to produce a MAC signature
over raw data.
A verification operation, where the authenticity of the message can be
validated given the signing key and the MAC tag to be verified.
There are two main purposes of a MAC signature:
Verify the integrity of the signed data.
Verify the authenticity of the message.
While the purpose of MAC signatures is similar to that of digital signatures,
MAC signatures rely on symmetric cryptography. MAC tags are generated and
verified using the same secret key. The sender and the receiver of
a message must both have the same key to use MAC signatures.
Example use case for a MAC signature
MAC algorithms like keyed-hash message authentication code (HMAC) are an
excellent file transfer data integrity-checking mechanism because of their
efficiency. Hash functions can take a message of arbitrary length and transform
it into a fixed-length digest, thus maximizing bandwidth usage.
MAC signing workflow
The following describes the flow for creating and validating a signature. The
two participants in this workflow consist of the signer of data, and the data
recipient.
The signer and the recipient agree on using a specific, shared MAC key.
Both can use this key to create or verify MAC signatures.
The signer performs a sign operation over the data to compute a MAC tag.
The signer provides the data and the MAC tag to the data recipient.
The recipient uses the shared MAC key to verify the MAC signature. If
verification is unsuccessful, then the data has been altered.
Signing algorithms
Cloud Key Management Service only supports keyed-hash message authentication code (HMAC)
algorithms for MAC signing. HMAC algorithms use cryptographic hash functions,
such as SHA-2 or SHA-3, to compute the MAC tag. The strength of the HMAC
function depends on the strength of the hash function, the size of the hash
output, and the size of the key. For more information about HMAC signing
algorithms, see HMAC signing
algorithms.
Limitations
When using Cloud KMS for MAC signatures, the maximum file size is 16
KiB for Cloud HSM keys and 64 KiB for all other keys.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# MAC signatures\n\nA *MAC signature* is a cryptographic output used to verify the integrity and\nauthenticity of data. A MAC signature algorithm lets you perform two distinct\noperations:\n\n- A signing operation, which uses a signing key to produce a MAC signature\n over raw data.\n\n- A verification operation, where the authenticity of the message can be\n validated given the signing key and the MAC tag to be verified.\n\nThere are two main purposes of a MAC signature:\n\n- Verify the integrity of the signed data.\n- Verify the authenticity of the message.\n\nWhile the purpose of MAC signatures is similar to that of digital signatures,\nMAC signatures rely on symmetric cryptography. MAC tags are generated and\nverified using the same secret key. The sender and the receiver of\na message must both have the same key to use MAC signatures.\n| **Note:** Since the sender and the receiver have the same cryptographic material, you can't use MAC tags to prove which of the two signed the file. If you need to be able to verify that the message was signed by the sender, use [digital signatures based on asymmetric keys](/kms/docs/digital-signatures) instead.\n\nExample use case for a MAC signature\n------------------------------------\n\nMAC algorithms like keyed-hash message authentication code (HMAC) are an\nexcellent file transfer data integrity-checking mechanism because of their\nefficiency. Hash functions can take a message of arbitrary length and transform\nit into a fixed-length digest, thus maximizing bandwidth usage.\n\nMAC signing workflow\n--------------------\n\nThe following describes the flow for creating and validating a signature. The\ntwo participants in this workflow consist of the signer of data, and the data\nrecipient.\n\n1. The signer and the recipient agree on using a specific, shared MAC key.\n\n Both can use this key to create or verify MAC signatures.\n2. The signer performs a sign operation over the data to compute a MAC tag.\n\n3. The signer provides the data and the MAC tag to the data recipient.\n\n4. The recipient uses the shared MAC key to verify the MAC signature. If\n verification is unsuccessful, then the data has been altered.\n\nSigning algorithms\n------------------\n\nCloud Key Management Service only supports keyed-hash message authentication code (HMAC)\nalgorithms for MAC signing. HMAC algorithms use cryptographic hash functions,\nsuch as SHA-2 or SHA-3, to compute the MAC tag. The strength of the HMAC\nfunction depends on the strength of the hash function, the size of the hash\noutput, and the size of the key. For more information about HMAC signing\nalgorithms, see [HMAC signing\nalgorithms](/kms/docs/algorithms#mac_signing_algorithms).\n\nLimitations\n-----------\n\nWhen using Cloud KMS for MAC signatures, the maximum file size is 16 KiB for Cloud HSM keys and 64 KiB for all other keys.\n\n\u003cbr /\u003e\n\nWhat's next\n-----------\n\n- Learn about [HMAC signing algorithms](/kms/docs/algorithms#hmac_signing_algorithms).\n- [Create a key](/kms/docs/creating-keys) with the [`MAC`](/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys#CryptoKeyPurpose.ENUM_VALUES.MAC) key purpose and an [HMAC signing algorithm](/kms/docs/algorithms#hmac_signing_algorithms).\n- [Create a MAC signature](/kms/docs/create-validate-mac-signatures#create_mac_signature) using an existing `MAC` key with a message.\n- [Verify a MAC signature](/kms/docs/create-validate-mac-signatures#verify_mac_signature) using an existing `MAC` key with a message and its signature."]]
