break it - protect confidentiality and integrity with symmetric key

Hi there,

It's a common practice to encrypt a message and compute its CBC residue
with two different keys in order to protect its confidentiality and
integrity at the same time within a symmetric key system. However,
here's a scheme that is said to provide both and that I can't break
it. Can anyone point out its flaw?

Suppose Alice and Bob have their common secret key, Kab, and no body
else knows it. Bob wants to make sure a message he received is sent
from Alice and is not been modified. Here's what they do:

1. Alice encrypts the message and Kab using Cipher Block Chaining (CBC)
mode, namely, encrypts <m1|m2|...|mn|Kab>. Suppose Kab is one block in
length of 64 bits. She sends Bob <IV, c1|c2|...|cn|cr>, where cr is the
cipher text of Kab.

2. Bob receives some cipher text <IV', C1'|C2'|...|Cn'|Cr'> and
decrypts the received cipher text into <m1'|m2'|...|mn'|Kab'>. Then he
compares Kab' and his copy of Kab to see if they're the same; if not,
he rejects the message; if so, he goes to step 3.

3. Bob computes the CBC residue on the decrypted text. If the computed
residue, Crc, is the same as the received residue, Cr', then he accepts
the message and believes that it's secretly from Alice; otherwise, he
rejects it.

I was told that there was a shortcoming in the protocol, but I just
can't realize it. Hopefully, someone can see it.




Relevant Pages