Due Date: W March 4th, 2015, 11:59pm.
In this assignment, the goal is to demonstrate a weakness in the use of the CBC-MACs in the code provided and provide a fix for the code.
Follow these instructions:
Obtain the tarfile from here. NOTE: Be sure to replace "team" with an ID for your team below (see the Makefile for "tar").
Unpack the tarfile in some appropriate directory on a UNIX system (there are many available at CSE -- see Notes below). You will need to get the gcrypt library (and its dependencies) if the machine does not have it installed already.
Several problems have arisen when using CBC-MACs in practice. Please do a survey on the Internet to identify problems.
Given the code, please produce code to exploit one known (or unknown if you prefer :->) vulnerability of CBC-MACs. Please submit the chosen exploit to me prior to use. In general, there are a number of moderately straightforward exploits, but a bonus will go to the most creative exploit. NOTE that you are allowed to remove encryption from the code to make some exploits practical.
Then, repair the CBC-MAC implementation provided to prevent the chosen exploit. NOTE: You have a fair bit of latitude here. E.g., You may replace CBC-MAC with another kind of MAC.
I will provide a drop box for submitting this project. The project is due on W March 4th at 11:59pm. Please submit the following:
Please attach a tar file containing all the source code. You can build this tar file using the command make tar from the source directory (don't forget to add your files, if you create new ones).
Provide a brief writeup describing the vulnerability chosen, why it is a problem, and the chosen solution. Also, please provide directions for how to run the exploit. The solution should be run using the same API as provided in the original code.
UPRETI, NITISH; JADIDI, AMIN; CAO, WENQI
XU, DONGPENG; MINKIN, ILIA; WANG, KAIYU
ZIENTARA, PETER; SHARMA, AAKASH; LV, WEINING
WANG, SHUAI; NARAYANAN, IYSWARYA; MUKHOPADHYAY, MANJARI
ELYASI, NIMA; QIU, LI; RENGASAMY, PRASANNA VENKATESH; SAGHAIAN NEJAD ESFAHANI, SAYED
A Makefile has been created to help you build the applications. To build, simply type "make" in the target directories.
gcrypt library -- As part of this assignment, you will be required learn and use the GNU cryptography library (for many Linux distros, you should install by package). Details of this library are presented in the manual.