You have been provided with a message, a MAC, and an IV. The MAC is the AES-CBC-

Question

You have been provided with a message, a MAC, and an IV. The MAC is the AES-CBC-MAC that is valid for this message and IV. However, you do not know the key that was used. Without knowing the key, use the provided information to construct a valid MAC for a selected IV for the message.

question details:

Message: Those words were
IV: 64-74-65-61-6E-65-71-66-6E-6A-6F-6D-78-6F-70-74
MAC: C2 AB 2A 60 0F A7 C8 0D 44 38 04 1A A5 B9 E1 A0

1. What was the input that created the MAC you were given?

2. What are the values of the IV and the MAC for the message “Hello World”, assuming this MAC was also created using AES-CBC-MAC and the same secret key?

Explanation / Answer

i understood that the reason for CBC-MAC not to have random IV is if CBC-MAC has a random IV, the attacker can change the P1 block, making the tag arbitrary, so the CBC-MAC scheme can be insecure. Am I right?

If you assume that the attacker can know the first block of the message and can control the IV then it is easy to see that you can create an identical authentication tag for multiple IV / initial message block pairs. If the input of the first block encrypt and the following blocks are identical, then the authentication tag will repeat.

This won't work for the other blocks as the cipher will change the bits of the next vector independently of the change. An attacker doesn't gain much by being able to change 50% of the of the input of the cipher randomly.

Attacker can make the tag arbitrary not depending on the IV because of the property of encryption blocks. Then why we should not use IV or should use all-zero IV?

I don't think the statement in the first sentence of the question is correct. The attacker should not be able to create a valid authentication tag, because the attacker does not know/control the key.

It's however unclear what you mean with encryption block property.

If we use random IV, then a sender and receiver must share a IV before the receiver receives the tag and it is inefficient, so we don't have to use random IV. Did I understand right?

No. For CBC encryption the IV needs to be unpredictable to the attacker. There are however schemes such as encrypting a counter to generate an unpredictable IV without actually including it with the ciphertext.

As indicated, we don't use a random IV for CBC-MAC. CBC-MAC relies on CBC mode of operation but it doesn't use it for providing confidentiality. So the security requirements of the IV being unpredictable are not applicable to CBC-MAC.

Are there any other attacks that can made if we use random IV

After completely loosing integrity / authentication of a full block of the message, I guess we don't need any others.

Related Questions

Navigate

• Browse (All)
• Browse Y
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.