CSE543 - Project #2 - CBC-MAC Flaws

Due Date: W March 4th, 2015, 11:59pm.

In this assignment, the goal is to demonstrate a weakness in the use of the CBC-MACs in the code provided and provide a fix for the code.

Follow these instructions:

  1. Obtain the tarfile from here. NOTE: Be sure to replace "team" with an ID for your team below (see the Makefile for "tar").

  2. Unpack the tarfile in some appropriate directory on a UNIX system (there are many available at CSE -- see Notes below). You will need to get the gcrypt library (and its dependencies) if the machine does not have it installed already.

  3. Several problems have arisen when using CBC-MACs in practice. Please do a survey on the Internet to identify problems.

  4. Given the code, please produce code to exploit one known (or unknown if you prefer :->) vulnerability of CBC-MACs. Please submit the chosen exploit to me prior to use. In general, there are a number of moderately straightforward exploits, but a bonus will go to the most creative exploit. NOTE that you are allowed to remove encryption from the code to make some exploits practical.

  5. Then, repair the CBC-MAC implementation provided to prevent the chosen exploit. NOTE: You have a fair bit of latitude here. E.g., You may replace CBC-MAC with another kind of MAC.

  6. I will provide a drop box for submitting this project. The project is due on W March 4th at 11:59pm. Please submit the following:

  7. Teams

    1. UPRETI, NITISH; JADIDI, AMIN; CAO, WENQI

    2. XU, DONGPENG; MINKIN, ILIA; WANG, KAIYU

    3. ZIENTARA, PETER; SHARMA, AAKASH; LV, WEINING

    4. WANG, SHUAI; NARAYANAN, IYSWARYA; MUKHOPADHYAY, MANJARI

    5. ELYASI, NIMA; QIU, LI; RENGASAMY, PRASANNA VENKATESH; SAGHAIAN NEJAD ESFAHANI, SAYED

Notes

  1. A Makefile has been created to help you build the applications. To build, simply type "make" in the target directories.

Documentation

gcrypt library -- As part of this assignment, you will be required learn and use the GNU cryptography library (for many Linux distros, you should install by package). Details of this library are presented in the manual.


Trent Jaeger