I\'m aware that it\'s crucial to include the IV when calculating the HMAC of a c

Question

I'm aware that it's crucial to include the IV when calculating the HMAC of a ciphertext (assuming an IV is used). Can anyone explain, in simple terms, why this is?

Furthermore, assume that there is other metadata associated with the cipher, which needs to be known to correctly decrypt the ciphertext (for example, the type of algorithm used, the mode, options such as configurable block size, etc). Is there any sense in including this information when calculating the HMAC? Or on the contrary, is the any reason not to?

Explanation / Answer

Yes, it is best to include all that information in the HMAC. Otherwise an attacker can change those values and you would not get the correct plain text. This would mean that you get either incorrect information, or you leak information that could be used for padding oracle attacks.

In case of the IV, if you don't include it in the HMAC then the attacker can change the first block of plain text you get when you decrypt the first block (assuming CBC mode encryption here).

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.