Does CBC encryption of a hash provide authenticity?

Question

Given a message $M$ and a cryptographic hash function $H$, let $f(M) = E_K(M || H(M))$ where $E_K$ is AES-128-CBC encryption with PKCS#5 padding. Take $H = \textrm{SHA-256}$ if it matters. In other words, we encrypt the message and a hash of the message, with CBC.

Does $f$ guarantee the authenticity of the message? (Assume the adversary doesn't know the secret key $K$, of course.)

CBC doesn't provide any authenticity, but changing any bit of the ciphertext completely changes the decryption of the block, which should prevent the adversary from computing the hash of the modified plaintext. Is this right? Does this scheme provide authenticity if the IV isn't reused? If the IV is reused, I get the feeling that there are cases where the adversary can mix parts of the two messages.

_{Don't worry, I am not planning on doing that. If I need authenticated encryption, I'll use a proper mode such as EAX or GCM.}

Answer 1

No, the scheme described in the question does not provide integrity.

A forgery is possible when the message's size is allowed to vary (which is presumably the case since some padding is used), and the adversary can choose some segment of the message with knowledge of the message before that segment. That is, a message $M=M_b||M_c||M_d$ with the beginning $M_b$ of the message known, and chosen $M_c$.

The adversary chooses any $M_x$ she wants, computes $$M_c=M_x||H(M_b||M_x)||\operatorname{Padding}(M_b||M_x||H(M_b||M_x))$$ then let the legitimate sender do his job, which will produce the ciphertext $E_K(M||H(M))$ with $M$ starting in $M_b||M_c$. Notice that by construction, $M_b||M_c$ is block-aligned, and padded so that removal of the padding will leave $M_b||M_x||H(M_b||M_x)$. Now the adversary truncates the ciphertext after that block, and has a forgery that is accepted as the ciphertext for $M_b||M_x$.

Underlying problem: the same key is used for confidentiality and integrity.

Example where this would matter: The message $M=M_b||M_c||M_d$ is a program. $M_b$ is a header imposed by the operating system. The process of producing a program normally produces $M_b||M_d$ where execution starts after $M_b$ thus at the beginning of $M_d$, but the adversary has modified this process to produce $M_b||M_c||M_d$, so that execution starts at $M_c$, thus at $M_x$ which is under full control by the adversary. When executed, $M_x$ examines if $M_d$ is present, if yes executes $M_d$, else performs some nefarious action. The legitimate user produces a program $M$, checks that it performs normally (perhaps using some executable analysis tool that concludes $M_c$ will always jump at $M_d$ and disregard analysis of the rest of $M_c$), then authenticates and enciphers it into a cryptogram. Problem is: it is enough to truncate that cryptogram to produce an acceptable cryptogram which carries $M_b||M_x$, which is happily executed by the operating system but performs some nefarious action.

Note: The stated conditions are sufficient for the attack, but not necessary. For example, when $H=\operatorname{SHA-256}$, an attack can be carried if the adversary can choose some segment $M_c$ of the message with knowledge of the hash and length of the portion of the message before $M_c$.

_{Nitpick: It is meant PKCS#7 padding, for PKCS#5 padding applies only to 8-byte blocks.}