Join Log in
Score:2
Allexj avatar Crypto

Bit flipping attack in hash function for message authentication

ch flag
Allexj

Use of a hash function for message authentication

In this picture we have a use of a hash function for message authentication.

M is plaintext message. H is hash function. E is encryption block with K symmetric key. || is concatenation of plaintext M with the output of E.

Is it true that this is vulnerable to bit flipping attack? I'm not sure how though.

This is what they said to me:

You do the bit flipping on the encrypted hash in such a way that it is as you want the hash to be

In a nutshell:

  1. You have plaintext message and the encrypted hash.

  2. If you xor between the plaintext hash and the encrypted hash you get "X" that if decrypted gives you all bytes to 0

  3. So to flip the bits you just xor with the correct hash first and then xor with the malicious hash

But the 2 and 3 are absolutely unclear to me:

  1. Why if I xor between plaintext hash and encrypted hash I get stuff that if decrypted gives 0?

  2. What should I xor? Why doing this now the hash will be what I want?

57
1 + 2
xor
fgrieu avatar
ng flag
fgrieu
The attack in the quote assumes E is a [stream cipher](https://en.wikipedia.org/wiki/Stream_cipher), e.g. a [block cipher](https://en.wikipedia.org/wiki/Block_cipher) in [CTR](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Counter_(CTR)) or [OFB](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Output_feedback_(OFB)) mode. Also it names "encrypted hash" the subpart of that stream cipher's ciphertext that's the XOR of the hash and the [keystream](https://en.wikipedia.org/wiki/Keystream), excluding the [IV](https://en.wikipedia.org/wiki/Initialization_vector).
2
Reply
Allexj avatar
ch flag
Allexj
you are right @fgrieu
0
Reply
Score:4
Sacha Servan-Schreiber avatar Crypto
sb flag
Sacha Servan-Schreiber

I believe a counter example could be derived as follows: Suppose that your encryption scheme is a one-time pad, then you have $E(K, M) = K \oplus M$. In your scheme, the output is $(M, E(K, H(M))) = (M, K \oplus H(M))$. Then, observe that an adversary can authenticate a message $\hat{M} \neq M$ as:

$$(\hat{M}, \underbrace{(K \oplus H(M))}_{\text{original tag}} \oplus H(M) \oplus H(\hat{M})) = (\hat{M}, K \oplus H(\hat{M}))= (\hat{M}, E(K, H(\hat{M})).$$

This is one explanation for steps 2 and 3, and can possibly generalize to other symmetric encryption schemes (beyond one-time pad). For a great exposition of generic authentication techniques, I recommend reading Chapter 9.4 of Boneh-Shoup.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.