Join Log in
Score:1
Yotam Sofer avatar Crypto

Integrity while using CBC

cl flag
Yotam Sofer

We have a body we want to encrypt using CBC, and we add to that body one block of known text to both sides. newBody = body + knownBlock now we encrypt newBody using a key known to both sides, then we transfer the encrypted text on a wire to person B. cipherText = encrypt_using_cbc(newBody) If person b decrypts the cipherText and get identical last block, can he trust the data he decrypted (data integrity)?

87
0 + 0
cbc
Score:3
Gilles 'SO- stop being evil' avatar Crypto
cn flag
Gilles 'SO- stop being evil'

No. A man-in-the-middle who corrupts a block in a CBC-encrypted message can “realign” in the next block.

Let $E$ be the block encryption function. Let $P_1, P_2, P_3$ be three blocks of data. The CBC encryption of $P_1 || P_2 || P_3$ with the IV $C_0$ is $C_0 || C_1 || C_2 || C_3$ where $$ \begin{align} C_1 &= E(P_1 \oplus C_0) \\ C_2 &= E(P_2 \oplus C_1) \\ C_3 &= E(P_3 \oplus C_2) \\ \end{align} $$ Let $M$ be a nonzero block. Let's insert this perturbation in the second plaintext block: $C_2 = E((P_2 \oplus M) \oplus (C_1 \oplus M))$. Send the ciphertext $(C_1 \oplus M) || C_2 || C_3$. It decrypts to $P'_1 || (P_2 \oplus M) || P_3$. The “check value” $P_3$ is the same but two preceding block has been corrupted. An attacker can apply an arbitrary change to a known plaintext block, without knowing the key or any additional plaintext/ciphertext pair, as long as they don't mind corrupting the previous block in a way they can't control.

Using a hash of the data in the last block isn't secure either.

0 + 0
Score:1
Maarten Bodewes avatar Crypto
in flag
Maarten Bodewes

The attacker can just change any ciphertext block but the last two. The the decryption of the last block is defined as $P_n = C_{n-1} \oplus D_k(C_n)$ where the last block is block $n$.

The attack will produce garbled plaintext for the altered blocks, and flip the bits at the similar bit location in the next blocks. The amount of ciphertext may also be shortened or increased at will, as long as the final two blocks are not altered. If the attacker can control the IV then it is also possible to flip any bit of the first block - assuming it is not the last or next-to-last block.

So no, this is not a great idea. It is possible to guess that it is not by seeing that you can perform parallel decryption on CBC: you can start decrypting at any point as long as you know the ciphertext down to the block before.

Then again, it would have been worse if you'd chosen CTR mode, where the attacker can change any bit at will, regardless of what is in the final "block". Both modes would also make you vulnerable against plaintext oracle attacks, which could also hurt confidentiality.

If you are interested in this kind of stuff you might want to have a look at (bidirectional) Infinite Garble Extension mode, also known as IGE and biIGE. But note that most of the time using a MAC is the way to go.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.