0

Suppose I have a protocol where fixed-length messages (1280 bytes, no padding) are encrypted with AES in CBC mode. I want to put some data in the message body to verify that the message is authentic. From Wikipedia,

Block ciphers in the cipher block chaining mode of operation, for example, are partly malleable: flipping a bit in a ciphertext block will completely mangle the plaintext it decrypts to, but will result in the same bit being flipped in the plaintext of the next block. This allows an attacker to 'sacrifice' one block of plaintext in order to change some data in the next one, possibly managing to maliciously alter the message.

But how would this defeat any complicated scheme that one could come up? Suppose that before encryption, I set the last byte in each block to be the first byte of an SHA256 hash of all previous bytes in the message. So if you change the bits in one block to try and alter the next block, the hash for the current block isn't going to work out anymore. I suppose the best attack would be to change data in the final block and hope that the first byte of that hash works out the same (1/256 chance). What am I missing?

HiddenBabel
  • 103
  • 1

1 Answers1

1

You are missing that the Wikipedia article only describes plain CBC. What you are instead proposing is some kind of MAC in addition to CBC. Properly implemented CBC+MAC is actually resistent against modification of the plaintext and it also used in practice, for example in TLS ciphers like TLS_RSA_WITH_AES_128_CBC_SHA (AES with a MAC using SHA-1).

But see Should we MAC-then-encrypt or encrypt-then-MAC? on how to best combine encryption and MAC and Padding oracles and the decline of CBC-mode cipher suites for other problems with CBC+MAC.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424