Section on CBC padding attack does not mention IV

[dato]

I followed section 7.9, CBC padding attacks, as a guide to complete challenge #17 of the cryptopals challenges.

Section 7.9 is a great write-up, but to my frustration I couldn’t make the attack work. Turns out the “Decrypting one byte” subsection should really have made a reference to the initialization vector (IV), because it’s needed to compute the actual plaintext byte. Without it, only the immediate output of D is achieved, not the plaintext.

In other words, in the formula on page 70, the expression 01 ⊕ r[b] should be, as I understand it, 01 ⊕ r[b] ⊕ iv[b]. (Of course for the second block in the ciphertext, the first block should be used as ‘IV’.)

Other than that thanks for the excellent chapter.

(FWIW the challenge in cryptopals.com does mention “oracle function returns the ciphertext and IV”, but I quickly forgot about it after having started to follow the book.)

[lvh]

This is sorta intentional: a CBC padding attack occurs at the end of the ctext and you don't always control the IV. Your explanation hints at this somewhat, e.g.:

(Of course for the second block in the ciphertext, the first block should be used as ‘IV’.)

On page 70, the full expression is: D(Ci)[b] = 01 \xor r[b] as stated. In context (see p65 for a drawing) f you take R||Ci as the constructed ctext, you'll see that the IV is supplied (might be part of the ctext, might be fixed, whatever) -- but doesn't impact the target block. Does the expression make sense with the drawing?

[EdOverflow]

GitHub seriously needs LaTeX support. :roll_eyes:

[dato]

Oh.

This is sorta intentional.

Thanks for the explanation; I think I get your point. What I’d like to do now is, with your explanation as starting point, restate my original observation and see if the text could still be improved.

Does the expression make sense with the drawing?

So, the formula I complained about seems to me now, in a narrow sense, correct. When I complained that “[it] only [achieves us] the immediate output of D, not the plaintext”, well, the formula does certainly not promise otherwise. After all, it says D(Ci)[b], not Pi[b]. Is this what you meant?

Still I think it would be great if the text would explain... how to get from D(Ci)[b] to Pi[b] (and to point out the difference in the first place!). This seems in order if the target of the attack is the plaintext. While it’s true this step can be deduced by comparing the image in §7.9 with the original images for CBC decryption in §7.4, I can’t think of a reason not to help the reader here.

This explanation on how to get Pi[b] is useful even if the IV is not available, since it can be applied to every block except the first one. I think it could be added with no loss of generality? The text would just need to mention the difference between block 0, and the rest, with respect to the availability of the IV.

Does this at least make sense? “Help the reader” would be my main point.

[lvh]

Thanks for the explanation; I think I get your point. What I’d like to do now is, with your explanation as starting point, restate my original observation and see if the text could still be improved.

Yeah definitely: I didn't mean to sound dismissive of your issue, I do want to fix the text :)

I also agree the distinction between D(Ci) and Pi needs to be highlighted and particularly how you get from one to the other. How do you feel about writing prose?

[dato]

I didn't mean to sound dismissive of your issue.

All is good. :)

How do you feel about writing prose?

Heh, I can look into if if you’d like. Should have time for it some time before the end of the month.