Cryptography Reference
In-Depth Information
think that when a message is encrypted it is not possible for the adversary to modify
it in a meaningful way and hence that encryption suffices to guarantee integrity. But
this idea is far off the mark as can be seen by considering, for example, the one-time
pad encryption scheme, which has the strongest security property of all, namely,
perfect secrecy. In this case, an adversary who knows that some quantity is being
transmitted may alter the message in a meaningful way as the following example
shows:
Example 5.1
Let us consider the implementation of one-time pad encryption given
to Bob (Bob might be a bank in this example) the following message:
> m := "Please transfer from my account to Eve's account the amount of $1000":
Alice sends the message to Bob encrypted with
OTP
using the following key:
> k := "d1e5342179e59719d99fc6384c8288a743ab02b002b9564b96fdafc9c45f49ce6cde50924d\
e9c66c933a30b898eb707a4d29a7a005b23173409ee099db51f4328ca9f839"
Thus Alice sends to Bob the following ciphertext:
> c := OTP(k, m);
c := "818951400a80b76dabfea84b2ae7fa8725d96ddd22d42f6bf79ecca6b1313dee18b170d73b8c\
e11fb35b53dbf79e1e0e6d5dcfc525d35c1c35f094b9b437d416bd99c809"
Eve intercepts the ciphertext and she would like the amount to be transferred to
her account to be higher, more like $9000
.
She suspects that the last four characters
correspond to the amount to be transferred and hence that the fourth-to-last ciphertext
character probably comes from the “1” in $1000. Thus she computes the bitwise Xor
of bytes 49 and 57 (which are the ASCII codes of “1” and “9”) and the fourth-to-last
byte in the ciphertext,
bd
(which is 189 in decimal). This gives:
> bytestohexstring(BitXor(BitXor(49, 57), 189));
"b5"
Thus Eve knows that she wants to replace
"bd"
by
"b5"
. She does it and Bob
receives the ciphertext:
> c1 := StringTools:-Substitute(c, "bd", "b5");
c1 := "818951400a80b76dabfea84b2ae7fa8725d96ddd22d42f6bf79ecca6b1313dee18b170d73b8\
ce11fb35b53dbf79e1e0e6d5dcfc525d35c1c35f094b9b437d416b599c809"
Now, Bob decrypts and voilà!:
> OTP(k, c1, decrypt);
"Please transfer from my account to Eve's account the amount of $9000"
Thus Eve, without knowing the secret key, has altered the ciphertext to her advan-
tage. This was a consequence of the fact that Eve guessed a plaintext character but,
even without this knowledge, an adversary that knows that the last four characters
encrypt a number can also change the ciphertext in a meaningful way. For example,
if the adversary flips the fifth bit in the fourth-to-last ciphertext byte (since the dec-
imal digits have ASCII codes ranging between 48 and 57, changing one of the four
most significant bits would replace the digit by a non-digit character),
bd
is, again,
changed to
b5
and the dollar amount is changed to $9000. Similarly, if the sixth
