Broken MACS, Hashes HW

Broken MACS Hashes HW

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: = CBCEncryptE (m), let c∗ be K the last block, compute tag τ = EK (c∗ ). and use c, τ as an “authenticated encryption” scheme. Prove that this scheme fails to provide chosen-ciphertext security. (c) [Extra Credit: 10 points] In several encryption standards, ciphertexts may optionally be protected by a MAC. The entire ciphertext is accompanied by metadata specifying information such as which keys and encryption algorithms to use; if a MAC is used the tag is computed over this “associated data” as well. Suppose that a ciphertext is encrypted using an implementation that is vulnerable to chosen ciphertext attack (such as the CBC padding attack), and a MAC is used to protect against this attack. (i) Show how the ciphertext can still be attacked. (ii) Assuming that the unauthenticated encryption option must still be supported, how would you design the authenticated encryption scheme to avoid this kind of attack? Prove that your design is secure. 5. Hash cycles. [25 points] For a given hash function h, a hash chain starting from x is recursively defined as follows: H0 = x Hi = h...
View Full Document

This document was uploaded on 04/03/2014.

Ask a homework question - tutors are online