This paper is concerned with the design of cryptographic APIs (Application Program Interfaces), and in particular with the part of such APIs concerned with computing Message Authentication Codes (MACs). In some cases it is necessary for the cryptographic API to offer the means to ‘part-compute’ a MAC, i.e. perform the MAC calculation for a portion of a data string. In such cases it is necessary for the API to input and output ‘chaining variables’. As we show in this paper, such chaining variables need very careful handling lest they increase the possibility of MAC key compromise. In particular, chaining variables should always be output in encrypted form; moreover the encryption should operate so that re-occurrence of the same chaining variable will not be evident from the ciphertext.
Brincat, K., & Mitchell, C. J. (2001). Key recovery attacks on MACs based on properties of cryptographic APIs. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 2260, pp. 63–72). Springer Verlag. https://doi.org/10.1007/3-540-45325-3_7