A message authentication code, or MAC, computes a digest for the file and uses a secret key to further protect the digest. A MAC does not alter the original file.
List the available mechanisms.
% mac -l Algorithm Keysize: Min Max ----------------------------------- des_mac 64 64 sha1_hmac 8 512 md5_hmac 8 512 sha256_hmac 8 512 sha384_hmac 8 1024 sha512_hmac 8 1024 |
Generate a symmetric key of the appropriate length.
You have two options. You can provide a passphrase from which a key will be generated. Or you can provide a key.
If you provide a passphrase, you must store or remember the passphrase. If you store the passphrase online, the passphrase file should be readable only by you.
If you provide a key, it must be the correct size for the mechanism. For the procedure, see How to Generate a Symmetric Key by Using the dd Command. You can also use the pktool command. For the procedure and some examples, see How to Generate a Symmetric Key by Using the pktool Command.
Provide a key and use a symmetric key algorithm with the mac command.
% mac [-v] -a algorithm [-k keyfile | -K key-label [-T token]] input-file |
Displays the output in the following format:
algorithm (input-file) = mac |
Is the algorithm to use to compute the MAC. Type the algorithm as the algorithm appears in the output of the mac -l command.
Is the file that contains a key of algorithm-specified length.
Is the token name. By default, the token is Sun Software PKCS#11 softtoken. Is used only when the -K key-label option is used.
Is the input file for the MAC.
In the following example, the email attachment is authenticated with the DES_MAC mechanism and a key that is derived from a passphrase. The MAC listing is saved to a file. If the passphrase is stored in a file, the file should not be readable by anyone but the user.
% mac -v -a des_mac email.attach Enter passphrase: <Type passphrase> des_mac (email.attach) = dd27870a % echo "des_mac (email.attach) = dd27870a" >> ~/desmac.daily.05.07 |
In the following example, the email attachment is authenticated with the MD5_HMAC mechanism and a secret key. The MAC listing is saved to a file.
% mac -v -a md5_hmac -k $HOME/keyf/05.07.mack64 email.attach md5_hmac (email.attach) = 02df6eb6c123ff25d78877eb1d55710c % echo "md5_hmac (email.attach) = 02df6eb6c123ff25d78877eb1d55710c" \ >> ~/mac.daily.05.07 |
In the following example, the directory manifest is authenticated with the SHA1_HMAC mechanism and a secret key. The results are placed in a file.
% mac -v -a sha1_hmac \ -k $HOME/keyf/05.07.mack64 docs/* > $HOME/mac.docs.legal.05.07 % more ~/mac.docs.legal.05.07 sha1_hmac (docs/legal1) = 9b31536d3b3c0c6b25d653418db8e765e17fe07a sha1_hmac (docs/legal2) = 865af61a3002f8a457462a428cdb1a88c1b51ff5 sha1_hmac (docs/legal3) = 076c944cb2528536c9aebd3b9fbe367e07b61dc7 sha1_hmac (docs/legal4) = 7aede27602ef6e4454748cbd3821e0152e45beb4 |
In the following example, the directory manifest is authenticated with the SHA1_HMAC mechanism and a secret key. The results are placed in the user's PKCS #11 keystore. The user initially created the keystore and the password to the keystore by using the pktool setpin command.
% mac -a sha1_hmac -K legaldocs0507 docs/* Enter pin for Sun Software PKCS#11 softtoken:Type password |
To retrieve the MAC from the keystore, the user uses the verbose option, and provides the key label and the name of the directory that was authenticated.
% mac -v -a sha1_hmac -K legaldocs0507 docs/* Enter pin for Sun Software PKCS#11 softtoken:Type password sha1_hmac (docs/legal1) = 9b31536d3b3c0c6b25d653418db8e765e17fe07a sha1_hmac (docs/legal2) = 865af61a3002f8a457462a428cdb1a88c1b51ff5 sha1_hmac (docs/legal3) = 076c944cb2528536c9aebd3b9fbe367e07b61dc7 sha1_hmac (docs/legal4) = 7aede27602ef6e4454748cbd3821e0152e45beb4 |