2

I've seen that encrypting an image with AES-CBC then calculating the HMAC-MD5 value for authentication is a somewhat common and sound way to secure data. Alternatively, can I just calculate the CRC of the data, and then encrypt the data+CRC with AES-CBC?

I am concerned about a ciphertext-only attack modifying the data and that data then being decrypted and executed/processed. Can I assume that it is unreasonably difficult to maliciously modify encrypted data in a way that results in the same CRC or modifies the encrypted CRC to match? If that assumption can be made, then is it necessary to also do an HMAC-MD5 calculation of the encrypted data?

Trevor
  • 31
  • 4

2 Answers2

2

In crypto, we like designs that are secure in (most) all use cases. There is a use case of your proposal that is trivially insecure.

Consider the AES cipher run in a stream-like mode (e.g., CTR). Due to linearity of CRC (i.e., $CRC(X\oplus Y\oplus Z)=CRC(X)\oplus CRC(Y)\oplus CRC(Z)$ and the malleability property of stream ciphers, it is very easy to modify the plaintext and then change the CRC so that it will still be correct.

I don't know if non-stream-like modes (e.g., CBC) have issues with your proposed design, but the fact that some modes do should steer people away from it.

So where we are is, the proposal is shown to be trivially insecure for a number of modes. I don't know if it is secure for certain other modes or constructions. So, yes, HMAC (or some other MAC) is necessary even though a CRC of the data is encrypted. In other words, CRC (even though it is encrypted) is not a good MAC.

P.S. you may find this question interesting.

Community
  • 1
mikeazo
  • 39,117
  • 9
  • 118
  • 183
1

No, because in CBC mode, changes to a block of the ciphertext only affect the ciphertext locally.

Also, if data+CRC pads to only one block then xoring the leftmost part of the IV with a string of length len(data+CRC) will cause the output of CBC decryption to be xored by the same string.

Since CRC is linear, it follows that using your proposal with short messages is "xor-malleable", like the one-time pad.

Community
  • 1