A message authentication code, or MAC, computes a digest for the file and uses a secret key to further protect the digest. A MAC does not alter the original file.
% mac -l Algorithm Keysize: Min Max ----------------------------------- des_mac 64 64 sha1_hmac 8 512 md5_hmac 8 512 sha224_hmac 8 512 sha256_hmac 8 512 sha384_hmac 8 1024 sha512_hmac 8 1024
You can provide either a passphrase from which a key will be generated or you can provide a key.
If you provide a passphrase, you must store or remember the passphrase. If you store the passphrase online, the passphrase file should be readable only by you.
If you provide a key, it must be the correct size for the mechanism. You can use the pktool command. For the procedure and some examples, see How to Generate a Symmetric Key by Using the pktool Command.
Provide a key and use a symmetric key algorithm with the mac command.
% mac [-v] -a algorithm [-k keyfile | -K key-label [-T token]] input-file
Displays the output in the following format:
algorithm (input-file) = mac
The algorithm to use to compute the MAC. Type the algorithm as the algorithm appears in the output of the mac -l command.
The file that contains a key of algorithm-specified length.
The token name. By default, the token is Sun Software PKCS#11 softtoken. It is used only when the –K key-label option is used.
The input file for the MAC.
In the following example, the email attachment is authenticated with the SHA1_HMAC mechanism and a key that is derived from a passphrase. The MAC listing is saved to a file. If the passphrase is stored in a file, the file should not be readable by anyone but the user.
% mac -v -a sha1_hmac email.attach Enter passphrase: Type passphrase sha1_hmac (email.attach) = 2b31536d3b3c0c6b25d653418db8e765e17fe07b % echo "sha1_hmac (email.attach) = 2b31536d3b3c0c6b25d653418db8e765e17fe07b" \ >> ~/sha1hmac.daily.05.12Example 3-6 Computing a MAC With SHA1_HMAC and a Key File
In the following example, the directory manifest is authenticated with the SHA1_HMAC mechanism and a secret key. The results are placed in a file.
% mac -v -a sha1_hmac \ -k $HOME/keyf/05.07.mack64 docs/* > $HOME/mac.docs.legal.05.07 % more ~/mac.docs.legal.05.07 sha1_hmac (docs/legal1) = 9b31536d3b3c0c6b25d653418db8e765e17fe07a sha1_hmac (docs/legal2) = 865af61a3002f8a457462a428cdb1a88c1b51ff5 sha1_hmac (docs/legal3) = 076c944cb2528536c9aebd3b9fbe367e07b61dc7 sha1_hmac (docs/legal4) = 7aede27602ef6e4454748cbd3821e0152e45beb4Example 3-7 Computing a MAC With SHA1_HMAC and a Key Label
In the following example, the directory manifest is authenticated with the SHA1_HMAC mechanism and a secret key. The results are placed in the user's PKCS #11 keystore. The user initially created the keystore and the password to the keystore by using the pktool setpin command.
% mac -a sha1_hmac -K legaldocs0507 docs/* Enter pin for Sun Software PKCS#11 softtoken:Type password
To retrieve the MAC from the keystore, the user uses the verbose option, and provides the key label and the name of the directory that was authenticated.
% mac -v -a sha1_hmac -K legaldocs0507 docs/* Enter pin for Sun Software PKCS#11 softtoken:Type password sha1_hmac (docs/legal1) = 9b31536d3b3c0c6b25d653418db8e765e17fe07a sha1_hmac (docs/legal2) = 865af61a3002f8a457462a428cdb1a88c1b51ff5 sha1_hmac (docs/legal3) = 076c944cb2528536c9aebd3b9fbe367e07b61dc7 sha1_hmac (docs/legal4) = 7aede27602ef6e4454748cbd3821e0152e45beb4