Score:0

How to conduct a forgery attack on a CBC-MAC algorithm, given a n block plaintext message T and its corresponding MAC M?

sg flag

I'm trying to carry out a forgery attack on a CBC-MAC algorithm that automatically pads the message.

I have a 5-block message T, consisting of T1, T2, T3, T4 and T5 and its corresponding MAC M. The message is shorter than 5 * block length so it is padded.

I want to construct a message that is not T but has the same MAC M.

Most other questions I have seen are done over either 1-block or 2-block messages.

After seeing other solutions I came up with my solution.

My solution is:

IV XOR T1 || T2 || T3 || T4 || (T5 || pad(T5)) || M XOR IV XOR T1 || T2 || T3 || T4 || T5 ||
Will this give out the original MAC M? If not, what have I done wrong?
And what is the way to do this attack over a message of length n? Is there a formula for that?

kelalaka avatar
in flag
[CBC-MAC Forge Attack Question](https://crypto.stackexchange.com/a/102117/18298)
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.