CBC MalleabilityHere's what CBC mode decryption looks like (with 16-bit blocks):
Let's consider a padding scheme where correctly padded blocks end in either
See if you can flip some bits in this ciphertext so that it decrypts to something with valid padding. Try it:
Look at the bits you had to flip to achieve valid padding (the red bits). What is the relationship between those bits and the bits of the original plaintext?
Now suppose the only information you can see is whether flipping certain ciphertext bits results in a plaintext with valid padding. Can you use this ability to decrypt the ciphertext? Try it!
When your guess of the plaintext is correct, it will turn green. If you need to "cheat," you can look at the entire result of decryption.
|your plaintext guess:|
- Try to find a way to flip the last 4 bits that results in valid padding.
- Now you know that the (modified) plaintext must end in , so you should be able to figure out what the original plaintext was.0001
- Flip more bits to try to get the (modified) plaintext to end in .00000010
- etc etc