We can see that ciphertext stealing allows us to substitute things 'in place'. With

the CBC mode, however, we would have to accommodate the initialization

vector (IV) elsewhere, or be able to compute it from the context any time (for

databases, for example, from user and record numbers).

5.1.3

Integrating Checksums

When the encryption does not have to be done 'in place', i.e., when ciphertext

and plaintext don't have to have the same length, it is recommended to append

a checksum to the plaintext: it allows us to check the text integrity at any given

time. This is certainly nothing new to you.

But there is another practical situation where encrypted checksums can come

in handy: suppose you have an encrypted file many Mbytes long and you want

to edit the pertaining plaintext. If you enter a wrong password, the deciphering

algorithm will create a 'plaintext' all the same, though it will be anything but

'plain'. At the very end of the encryption, your program may find that the

checksum is not correct and ask you to enter a new password. Meanwhile, it

has created one more 'dead data body' and consumed considerable computer

resources for nothing. Or perhaps the program works without checksums, and

you will painfully notice your error when you first attempt to edit the plaintext.

This is annoying and user-unfriendly. Wouldn't it be simpler if your program

were to refuse wrong passwords right away without risking the security? It is

possible, and the trick is even very simple — you just have to first recognize

the necessity.

We choose a random block, I 0 , and encrypt it; we obtain a block I 1 .Weput

both blocks — I 0 and I 1 — in front of the plaintext and encrypt the plaintext

thus expanded. I 0 becomes C 1 ,I 1 becomes C 2 , and P 1 eventually becomes C 3 ,

and so on (see Figure 5.5).

During the decryption process, we stop after the computation of plaintext block

I 1 to check whether or not C 0 coincides with I 1 . If it doesn't, the password

has got to be wrong; if it does, then there is a high likelihood that it is correct.

A theoretical drawback of this method is, however, that the plaintext block

I 1 =

C 0 is known. But resistance to plaintext attacks is taken for granted in

modern methods anyway.

Numerous variants are possible here: with the CBC mode, we can use I 0 directly

as the initialization vector. We encrypt the first two blocks, I 0 and I 1 , as shown

in Figure 5.5 in ECB mode, and then switch to CBC from the third block