Re: break it - protect confidentiality and integrity with symmetric key



"000" <osrh...@xxxxxxxxx> wrote:
> 3. Bob computes the CBC residue on the decrypted text. If the computed
> residue, Crc, is the same as the received residue, Cr', then he accepts
> the message and believes that it's secretly from Alice; otherwise, he
> rejects it.
>
> I was told that there was a shortcoming in the protocol, but I just
> can't realize it. Hopefully, someone can see it.

It's trivial to break. I can modify any block I want since CBC uses
the ciphertext not plaintext. So as long as I don't modify the second
to last block your decrypted Kab will always check out.

A proper CBC-MAC does not give out the intermediate values to be
meddled with and if you do CBC encrypt it obviously should be under a
different key.

Tom

.