A message authentication code, or MAC, computes a digest for the file and uses a secret key to further protect the digest. A MAC does not alter the original file.
$ mac -l Algorithm Keysize: Min Max (bits) ------------------------------------------ des_mac 64 64 sha1_hmac 8 512 md5_hmac 8 512 sha224_hmac 8 512 sha256_hmac 8 512 sha384_hmac 8 1024 sha512_hmac 8 1024
You can provide either a passphrase from which a key will be generated or you can provide a key.
If you provide a passphrase, you must store or remember the passphrase. If you store the passphrase online, the passphrase file should be readable only by you.
If you provide a key, it must be the correct size for the mechanism. You can use the pktool command. For the procedure and some examples, see How to Generate a Symmetric Key by Using the pktool Command.
Provide a key and use a symmetric key algorithm with the mac command.
$ mac [-v] -a algorithm [-k keyfile | -K key-label [-T token]] input-file
Displays the output in the following format:
algorithm (input-file) = mac
The algorithm to use to compute the MAC. Type the algorithm as the algorithm appears in the output of the mac -l command.
The file that contains a key of algorithm-specified length.
The label of a key in the PKCS #11 keystore.
The token name. By default, it is Sun Software PKCS#11 softtoken. It is used only when the –K key-label option is used.
The input file for the MAC.
In the following example, the email attachment is authenticated with the SHA256_HMAC mechanism and a key that is derived from a passphrase. The MAC listing is saved to a file. If the passphrase is stored in a file, the file should not be readable by anyone but the user.
$ mac -v -a sha256_hmac email.attach
Enter passphrase: Type passphrase
sha256_hmac (email.attach) = 9c1ee...d6eb74e5d693b7605c96a23df238e52
$ echo "sha256_hmac (email.attach) = 9c1ee...d6eb74e5d693b7605c96a23df238e52" \
>> ~/sha256hmac.daily.05.13
Example 8 Computing a MAC With SHA256_HMAC and a Key File
In the following example, the directory manifest is authenticated with the SHA256_HMAC mechanism and a secret key. The results are placed in a file.
$ mac -v -a sha256_hmac \ -k $HOME/keyf/05.07.mack64 docs/* > $HOME/mac.docs.legal.05.07 $ more ~/mac.docs.legal.05.07 sha256_hmac (docs/legal1) = e1eb...814a595fb6f0aa8c77f6ef35a7f24ae07d1b9a55 sha256_hmac (docs/legal2) = 0460...88a34b895687ecfd97d1647b90fe3618f5114ff9 sha256_hmac (docs/legal3) = 9c1e...eee8a9913d6eb74e5d693b7605c96a23df238e52 sha256_hmac (docs/legal4) = 389f...cb340d33cca5e4aaa18534c06426d32594bdedf6Example 9 Computing a MAC With SHA256_HMAC and a Key Label
In the following example, the directory manifest is authenticated with the SHA256_HMAC mechanism and a secret key. The results are placed in the user's PKCS #11 keystore. The user initially created the keystore and the password to the keystore by using the pktool setpin command.
$ mac -a sha256_hmac -K legaldocs0507 docs/*
Enter pin for Sun Software PKCS#11 softtoken:Type password
To retrieve the MAC from the keystore, the user uses the verbose option, and provides the key label and the name of the directory that was authenticated.
$ mac -v -a sha256_hmac -K legaldocs0507 docs/*
Enter pin for Sun Software PKCS#11 softtoken:Type password
sha256_hmac (docs/legal1) = e1eb...814a595fb6f0aa8c77f6ef35a7f24ae07d1b9a55
sha256_hmac (docs/legal2) = 0460...88a34b895687ecfd97d1647b90fe3618f5114ff9
sha256_hmac (docs/legal3) = 9c1e...eee8a9913d6eb74e5d693b7605c96a23df238e52
sha256_hmac (docs/legal4) = 389f...cb340d33cca5e4aaa18534c06426d32594bdedf6