Cryptography Reference
In-Depth Information
know that the fi rst nibble is “A”, and he wants to change it to a “C” (pretend this
is a really simple protocol where C is an identifi er representing the attacker and
B is a value indicating that A or C should get a million dollars). Because “A”
XOR “C” is “2”, he can XOR the fi rst nibble of the cipher text with 2 to produce
0x82
. When the recipient decrypts it, he applies the keystream byte 0x34 and
reveals
0xCB
.
This is called a
bit-fl ipping
attack, and CTR mode is particularly vulnerable
to it. If the attacker knows part of the plaintext, he can change it to anything
he wants by XORing the known plaintext with the desired plaintext and then
XORing that with the ciphertext. Of course, you can probably guess the solution:
a MAC. This is why AEAD ciphers are so named; they use a cipher mode that
must be combined with a MAC function.
Reusing Existing Functionality for Secure Hashes with
CBC-MAC
Chapter 4 focuses on HMAC to provide Message Authentication Codes; HMAC
is a widely used, intensively scrutinized MAC algorithm. It isn't, however, the
only way to generate a secure MAC. Recall from Chapter 4 what sort of qualities
you should look for in a good MAC algorithm. It should be impossible:
To reverse-engineer. Knowing the input and the MAC should not make
it any easier to discover the shared MAC key.
For somebody without the shared key to generate a valid MAC.
To deliberately construct a message such that it shares a MAC with another
message.
To engineer two separate messages that share a MAC.
Of course, to be cryptographically correct, you must replace the word “impos-
sible” with “computationally infeasible” in the requirements, but this is the
essence of a keyed-MAC construction. The second two requirements are met
by the use of secure hash algorithms; the fi rst two come from the HMAC
construct itself.
Similar to the concept of using OFB or CTR mode to convert a block cipher
into a stream cipher, CBC-MAC converts a block cipher into a secure keyed-
MAC construction. The construct itself is simple; you can probably guess how
it works. Encrypt the input using the block cipher in CBC mode — start with
an IV of all zeros. Throw away all output blocks except the last; this is your
MAC. Notice that a secure hash of the input is not computed or required with
CBC-MAC. You can actually implement this using the
aes_encrypt
function
from Listing 2-42 directly, but to be a bit more memory effi cient, you should
write a separate function that only uses a single block of output, as shown in
Listing 9-13.
Search WWH ::
Custom Search