From: daw@mozart.cs.berkeley.edu (David Wagner)
Newsgroups: sci.crypt
Subject: Re: Message Integrity in CBC and CFB modes
Date: Fri, 7 Sep 2001 00:46:10 +0000 (UTC)
Message-ID: <9n95ci$18dm$2@agate.berkeley.edu>

DJohn37050 wrote:
>I do not see why a MAC is needed if data confidentiality is the goal.

You're in good company.  I think many people find this counter-intuitive.
All I can do is refer you to some examples of how real systems can fail
if no MAC is present, even if data confidentiality is the only goal.

Here are some examples to illustrate what I mean:
  http://eprint.iacr.org/2001/045/  (particularly Section 4.2)
  http://www.research.att.com/~smb/papers/badesp.ps  (all of it)
  http://www.cs.berkeley.edu/~daw/papers/wep-mob01.pdf  (Section 4.4)

The first gives a theoretical example, the second gives many realistic
attacks on an earlier version of IPSEC, and the third gives two attacks
on 802.11 WEP.  In each of these examples, there is an attack that breaks
data confidentiality, and the attack works precisely because there is
no MAC, despite the fact that the encryption algorithm is otherwise
perfectly fine.

I apologize that I don't know how to give a more concise explanation, but
I encourage folks to read those fine papers.  They are worth the time.