The message authentication code (MAC) is generated from an associated message as a method for assuring the integrity of the message and the authenticity of the source of the message. A secret key to the generation algorithm must be established between the originator of the message and its intended receiver(s).
Currently, there are three (3) approved* general purpose MAC algorithms: HMAC, KMAC and CMAC.
FIPS 198-1, The Keyed-Hash Message Authentication Code (HMAC) (July 2008), specifies a mechanism for message authentication using an approved hash function. The approved hash functions are specified in FIPS 180-4, Secure Hash Standard and FIPS 202, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. Specific guidelines in connection with HMAC's security properties are provided in NIST SP 107 Revision 1, Recommendation for Applications Using Approved Hash Algorithms.
KMAC is specified in SP 800-185, SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash and ParallelHash (December 2016). KMAC is a keyed hash function based on KECCAK, which is specified in FIPS 202, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. There are two variants of KECCAK, KMAC128 and KMAC256.
Testing requirements and validation lists are available from the Cryptographic Algorithm Validation Program (CAVP).
Security and Privacy: message authentication