Key Recovery Attacks on MACs Based on Properties of Cryptographic APIs
Karl Brincat5 
and Chris J. Mitchell6
| (5) |
Visa International EU, PO Box 253, W8 5TE London, UK |
| (6) |
Information Security Group, Royal Holloway, University of London, TW20 0EX Surrey, Egham, UK |
Abstract
This paper is concerned with the design of cryptographic APIs (Application Program Interfaces), and in particular with the
part of such APIs concerned with computing Message Authentication Codes (MACs). In some cases it is necessary for the cryptographic
API to offer the means to ‘part-compute’ a MAC, i.e. perform the MAC calculation for a portion of a data string. In such cases
it is necessary for the API to input and output ‘chaining variables’. As we show in this paper, such chaining variables need
very careful handling lest they increase the possibility of MAC key compromise. In particular, chaining variables should always
be output in encrypted form; moreover the encryption should operate so that re-occurrence of the same chaining variable will
not be evident from the ciphertext.
Keywords Message Authentication Code - cryptographic API - cryptanalysis
The views expressed in this paper are personal to the author and not necessarily those of Visa International
References secured to subscribers.