Cryptography Reference
In-Depth Information
all —
C
0
won't mean anything to a potential attacker. This 'zeroth' plaintext
block,
C
0
, is called the
initialization vector
(
IV
), a somewhat unfortunate
name; it would be better called the 'initialization block'.
The CBC mode has several important benefits:
1. Plaintext patterns are destroyed. Every ciphertext block depends on all
previous plaintext blocks.
2. Two identical plaintexts are transformed into different ciphertexts if they
have different initialization vectors,
C
0
. This is normally the case when
C
0
was well chosen (sufficiently random). This finally does away with
a common ciphering error: sending an encrypted text repeatedly with
almost no changes, and encrypting the same text with different keys.
3. A brute-force attack against time - memory tradeoff (Section 4.4.1) would
take three times as long as normal because a fixed plaintext block occurs
only with a probability so small it is negligible.
4. CBC can generally also thwart chosen-plaintext attacks. Only an algorithm
vulnerable to normal plaintext attacks is not better protected by CBC.
After all, an eavesdropper knows the ciphertext blocks and, if he learns
the plaintext, he can also recover the input blocks for the algorithm
(i.e., the sums
C
n
⊕
P
n
+
1
). But modern (symmetric) methods should be
resistant to plaintext attacks anyway.
Though each ciphertext block depends on the entire 'history', a block that was
garbled during the transmission won't be disastrous: it will turn only two plain-
texts into gibberish. This argument is not always important. The integrity of
data transmitted over insecure channels is today normally ensured by check-
sums and redundancy. For example, the Internet Protocol (IP) resends garbled
data packets; CD-ROMs encode 8-bit information by 14 recorded bits to ensure
that bits missing due to data errors (which happen frequently in practice) can
be computed from other bits.
CBC has several theoretical security flaws, too. First, it is vulnerable to the so-
called
bit-twiddling attack
. The attacker knows the structure of the plaintext
and wants to change it. For example, he wants to give himself a raise, say from
398 dollars to 16 782 dollars (and quickly disappear once he has received the
pay check). If he can intercept and change the encrypted message before the
receiver gets it, then all he does is change the correct bit
ahead
of the number
