I agree that for certain encryption systems or modes of operation, a MAC is indi

Question

I agree that for certain encryption systems or modes of operation, a MAC is indispensible.

The best example are probably stream ciphers (and therefore also block ciphers in OFB or CTR mode) that allow an attacker to arbitrarily flip bits in the ciphertext, resulting in flipped bits at the same position in the plaintext after decryption.

However, I somehow always thought that that wouldn't apply to "modern" block ciphers in some reasonable mode of operation, e.g. AES-CBC. Since there is no clear relation between a bit in the ciphertext and a bit in the plaintext, I thought that any small modification would cause a totally different plaintext.

That in mind, I thought it would be enough to simply concatenate the plaintext with some simple checksum to check for that kind of tampering; a cryptographic hash didn't even seem necessary to me.

But in reality, pretty much every reasonable application of AES-CBC also seems to be using MACs, so I'm almost certain that there is an error somewhere in my reasoning.

Explanation / Answer

In addition to what mikeazo and Ilmari mentioned, there are also several chosen-ciphertext attacks on various modes of operation, which do not only endanger the message integrity, but also the message privacy, when no message authentication is used.

For example, such attacks on CBC mode were used to break the XML Encryption Standard, by analyzing the error messages from the receiver for various slightly modified versions of captured messages. With a MAC, these "forged" messages would not have been passed to the decryption algorithm (or the XML interpreter behind this) at all, but rejected due to a false MAC.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.