CBC-MAC, with fixed length message.
Is it safe to return all ciphered blocks instead of the last?
My intuition says it is less secure, since is gives an attacker more information. But how could one attack this scheme?
Asked
Active
Viewed 2,721 times
1 Answers
14
I'll assume All ciphered blocks means the same as ciphertext for CBC-Encryption with implicit zero IV, while CBC-MAC is the last block of that.
All ciphered blocks is unsafe as a message authenticator for messages longer than one block, for it succumbs to a trivial attack (here with two blocks):
- Eve intercepts message $M=M_0||M_1$ and its authenticator $A=A_0||A_1$
- she knows $A_0=E(M_0)$ and $A_1=E(A_0\oplus M_1)$
- she builds $M'=(A_0\oplus M_1)||(A_1\oplus M_0)$ and its authenticator $A'=A_1||A_0$.
The verifier will then accept as valid $M'$ and its authenticator $A'$ just as well as $M$ and its authenticator $A$.
Addition for completeness: $M'\ne M$ unless $M_1=M_0\oplus E(M_0)$, which is extremely unlikely to occur by chance.
