4.3.5 MAC Command

The Message Authentication Code (MAC) command is used to generate a SHA-256 digest of a message, which consists of a key stored in the device, a challenge and other information on the device. The output of this command is the digest of this message.

The normal flow to use this command is as follows:

  1. Run the Nonce command to load the input challenge and optionally combine it with a generated random number. The result of this operation is a nonce stored internally on the device.
  2. Optionally, run the GenDig command one or more times to combine stored EEPROM locations in the device with the nonce. The result is stored internally in the device. This capability permits two or more keys to be used as part of the response generation.
  3. Run this MAC command to combine the output of Step 1 (and Step 2, if desired) with an EEPROM key to generate an output response (i.e., digest).

Alternatively, data in any slot (which does not have to be secret) can be accumulated into the response through the same GenDig mechanism. This has the effect of authenticating the value stored in that location.