From: daw@mozart.cs.berkeley.edu (David Wagner)
Newsgroups: sci.crypt
Subject: Re: BIG question about using and storing IV's
Date: Thu, 6 Sep 2001 16:52:29 +0000 (UTC)
Message-ID: <9n89kd$nb5$2@agate.berkeley.edu>

Mark Wooding wrote:
>David Wagner <daw@mozart.cs.berkeley.edu> wrote:
>> Actually, merely hashing the message (with, say, SHA, or some
>> other unkeyed hash) and then CBC-encrypting is not sufficient
>> to ensure security.
>
>A quick back-of-the-envelope computation shows that a CBC-encrypted hash
>isn't /too/ bad, [...]

I'm not sure I understand what you mean, but there's an attack.
Suppose you want to make the receiver think message M was sent,
even thought the sender would never authorize this.  Then you
should construct M' = M || H(M) || X, where X is arbitrary and
where || denotes concatenation (it better be at block boundaries).
Ask the sender to transmit M'; he will form M' || H(M'), encrypt
it with CBC mode, and transmit the result.  Now you can truncate
the ciphertext, snipping it just before the "X" part, and the
receiver will think M was sent, which is an integrity failure.