Score:1

changing messages for authentication without the tag changed. (CBC-MAC)

bd flag

do you know about CBC-MAC? I have iv ,MAC and Transaction but no key. and I should change Transaction without change cipher text. do you know how this is possible at all? In addition, I do not have cipher text to find key. information:

Transaction:to=9714163002&from=9711412111&amount=10000000
IV: qes/2BpH9BvVN7f6jFy43g== (base64)
MAC: NEhKNEtaR3lDdzRtWHJJTg== (base64)

9714163002 should exchange to something other than 1234567890 and what I should find and submit is:

Transaction:
IV: 
MAC:
  • The main text of the challenge is as follows:

    Consider the following method for digital signature.

    A. The text P should be downloaded

    B. CBC text is encrypted with a secret key

    C. Discard all code blocks except the last block

    D. The last bulk should be considered as the MAC-CBC digital signature of the text.

    The above method can easily detect any unauthorized changes in the text, because if any changes MAC-CBC will not correspond to the text. Suppose this system is used in banking transactions And any transaction will be valid if the signature is correct. You as the attacker Could you hear a message:

    Transaction:to=9714163002&from=9711412111&amount=10000000 
    IV: qes/2BpH9BvVN7f6jFy43g== 
    MAC: NEhKNEtaR3lDdzRtWHJJTg==
    

IV and MAC are coded base64. If you can change the number 9714163002 with your participant number in the above message, the amount will be credited to your account, but the problem is that the transaction must have a valid CBCMAC and you do not have the key. Find a way to reach your goal without a key. Send your answer to the address of the question. Note that the destination must be your participant number.

farnaz avatar
bd flag
@kelalaka thank you for response. What is better to change the title to?
farnaz avatar
bd flag
@kelalaka this title good? 'changing messages for authentication without the tag changed.'
farnaz avatar
bd flag
@kelalaka Thank you very much for both editing and replying. I'm looking for what you said :)
kelalaka avatar
in flag
[There is a reason that CBC-MAC uses zero IV](https://en.wikipedia.org/wiki/CBC-MAC#Allowing_the_initialization_vector_to_vary_in_value) look at this. With this your answer is simple...
farnaz avatar
bd flag
OK. thanks for sharing.
Gilles 'SO- stop being evil' avatar
Does this answer your question? [Insecurity of CBC-MAC](https://crypto.stackexchange.com/questions/35454/insecurity-of-cbc-mac)
kelalaka avatar
in flag
@Gilles'SO-stopbeingevil' maybe there is another dupe, however, the OP wants fixes to change, this is a simple $IV\oplus P_1$ trick.
farnaz avatar
bd flag
@kelalaka sure, I check the link and try do it. I’m so grateful for your help.
farnaz avatar
bd flag
@Gilles'SO-stopbeingevil' Thank you for your reply too.
kelalaka avatar
in flag
Please don't change the course of the question once answered. For the other case, which is combining two messages there is a dupe question. Let this be a fixed size attack.
Score:1
in flag

There is a good reason to use zero-IV in CBC-MAC; if there is fixed no-Zero IV then an attacker can modify the $IV$ and $P_1$ so that the first block of the plaintext can become the advantage of the attacker.

The first step of the CBC-MAC tag calculation is performed as $$C_1 = E_k(IV \oplus P_1)$$

Now let $P_1'$ be the target first block that the attacker wants to change without changing the CBC-MAC tag. To achieve this simple forgery, they need to keep the same value for the first ciphertext $C_1$ so that the rest will result in the same MAC tag.

$$IV \oplus P_1 = IV' \oplus P_1'$$

Since the attacker knows $P_1$(‡), $IV$ and $P_1'$ than it is easy to find the $IV'$ $$IV' = IV \oplus P_1 \oplus P_1'$$ I.e. the attacker just need a simple x-or operation and transmit.

In this attack, the message size is not changed, only the first block of the plaintext and the IV is changed to forge the MAC. It is possible to combine two messages to forge another one, however, this changes the message size.

This makes a simple forgery on the non-fixed IV in the CBC-MAC. The CBC-MAC is already defined with zero-IV to mitigate this attack and the combining attack.

(‡) The security of the MAC schemes doesn't require the message to be encrypted. Attackers can still modify if there is encryption, this is very easy in CBC mode.

Score:0
my flag

Actually, even if the IV is fixed (say, to the all-zero value), then it is still possible to find a second message that has the same CBC-MAC, even if you don't know the key.

Suppose you have a message $M$ with a CBC-MAC of $T$ (where the CBC-MAC processing used the IV $IV$); we'll also assume that $M$ is at least one block long. Then, the message $Pad(M) || M^*$ also has CBC-MAC of $T$, where:

$Pad(M)$ is message $M$ with the CBC-MAC padding added.

$M^*$ is the same as message $M$ except that the first block $M_0$ is replaced with $M_0 \oplus T \oplus IV$)

Showing this is straight-forward; where the CBC-MAC processes the message $Pad(M) || M^*$, it first processed $Pad(M)$; this is precisely the same as the original message, and so the intermediate state is $T$. Then, the first block of $M^*$ is processed; this value $M_0 \oplus T \oplus IV$ is xor'ed with the current state $T$, resulting in $M_0 \oplus IV$; this is precisely the same value as the corresponding state when initially processing the first block of the original message. Processing the rest of $M^*$ happens identically as processing the original message (as we made no other changes to $M^*$, and so the final state is $T$.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.