Question

Alice has four blocks of plaintext, Po,Pi,P2,P3, which she encrypts using CBC mode to obtain C0,C1,C2,CZ. She then sends the IV and ciphertext to Bob. Upon receiving the ciphertext, Bob plans to verify the integrity as follows. He'll first decrypt to obtain the putative plaintext, and then he'll re-encrypt this plaintext using CBC mode and the received IV. If he obtains the same C3 as the final ciphertext block, he will trust the integrity of the plaintext.

Is Bob's integrity checking method secure? explain why or why not.

Answer 1

Encryption Decryption

C0 = E(IV ⊕ P0, K) P0 = IV ⊕ D(C0, K)

C1 = E(C0 ⊕ P1, K) P1 = C0 ⊕ D(C1, K)

C2 = E(C1 ⊕ P2, K) P2 = C1 ⊕ D(C2, K)

C3 = E(C2 ⊕ P3, K) P3 = C2 ⊕ D(C3, K)

a) According to the question if Trudy changes C1 to X, and other cipher blocks and IV block are unchanged then Bob can detect that data lacks integrity.

The proceedure is as follows:

As C1 is changed to ’X’,P1 and P2 will be affected while decrypting.

When we re encrypt P0, P1 (affected), P2 (affected), P3 with unchanged IV block we get un affected C0 , and affected C1, C2, C3.

So, as C3 doesn’t match Bob can detect lack of data integrity.

b) According to the question if Trudy changes C3 to Y, and other cipher blocks and IV block are unchanged then Bob can detect that data lacks integrity.

The proceedure is as follows:

As C3 is changed to ’Y’,P3 will be affected while decrypting.

When we re encrypt P0, P1, P2 , P3 (affected) with unchanged IV block we get un affected C0, C1 & C2, and affected C3.

So, Bob can detect lack of data integrity as C3 doesn’t match.

c) Bob’s Integrity method is secure as each block is depending on previous block data.