# break it - protect confidentiality and integrity with symmetric key

*From*: "000" <osrhyme@xxxxxxxxx>*Date*: 22 Jan 2006 01:18:23 -0800

Hi there,

It's a common practice to encrypt a message and compute its CBC residue

with two different keys in order to protect its confidentiality and

integrity at the same time within a symmetric key system. However,

here's a scheme that is said to provide both and that I can't break

it. Can anyone point out its flaw?

Suppose Alice and Bob have their common secret key, Kab, and no body

else knows it. Bob wants to make sure a message he received is sent

from Alice and is not been modified. Here's what they do:

1. Alice encrypts the message and Kab using Cipher Block Chaining (CBC)

mode, namely, encrypts <m1|m2|...|mn|Kab>. Suppose Kab is one block in

length of 64 bits. She sends Bob <IV, c1|c2|...|cn|cr>, where cr is the

cipher text of Kab.

2. Bob receives some cipher text <IV', C1'|C2'|...|Cn'|Cr'> and

decrypts the received cipher text into <m1'|m2'|...|mn'|Kab'>. Then he

compares Kab' and his copy of Kab to see if they're the same; if not,

he rejects the message; if so, he goes to step 3.

3. Bob computes the CBC residue on the decrypted text. If the computed

residue, Crc, is the same as the received residue, Cr', then he accepts

the message and believes that it's secretly from Alice; otherwise, he

rejects it.

I was told that there was a shortcoming in the protocol, but I just

can't realize it. Hopefully, someone can see it.

Thanks.

000

.

**Follow-Ups**:**Re: break it - protect confidentiality and integrity with symmetric key***From:*Tom St Denis

- Prev by Date:
**protect confidentiality and integrity with symmetric key** - Next by Date:
**Re: RS-232 random number generator** - Previous by thread:
**protect confidentiality and integrity with symmetric key** - Next by thread:
**Re: break it - protect confidentiality and integrity with symmetric key** - Index(es):