One potential weakness in WTLS is the use of CBC mode cipher encryption. The standard states that for CBC mode block ciphers, the IV (initialization vector) for each record is calculated in the following way: record_IV = IV⊕S where IV is the original IV and S is obtained by concatenating the 2-byte sequence number of the record the needed number of times to obtain as many bytes as in IV.Thus, if the IV is 8 bytes long, the sequence number of the record is concatenated with itself four times.

Now, in CBC mode, the first block of plaintext for a record with sequence number would be encrypted as (Figure 6.4)

where P_s,1 is the first block of plaintext of a record with sequence number and is the concatenated version of . Consider a terminal application (such as telnet), where each keypress is sent as an individual record. Alice enters her password into this application, and Eve captures these encrypted records. Note that the sequence number is known to Eve, because this portion of the record is not encrypted (Figure 17.17). Now somehow Eve gets hold of Alice’s channel, perhaps through an echo feature in some application. This means that Eve can present unencrypted records to the channel and view the encrypted result. Suggest a brute-force method by which Eve can guess password letters in Alice’s password. Hint: Exploit these properties of exclusive-OR: 

Transcribed Image Text:

C = E(K. [IV S + Ps, il)