CBC encryption + CBC MAC reusing key in MAC-then-Encrypt

Question

I'm reading the Handbook of Applied Cryptography by ‎Alfred J. Menezes et al. Especially, I'm stuck with the case that reusing key for CBC encryption and CBC-MAC in MAC-then-encrypt structure.

My question is: in MAC-then-encrypt structure, that textbook's p.367 states

Example (improper combination of CBC-MAC and CBC encryption) Consider using the data integrity mechanism of equation $\big(\ C'=E_k(x\mathbin\|h_{k'}(x))\ \big)$, with $E_k$ being CBC-encryption with key $k$ and initialization vector $IV$, $\ h_{k'}(x)$ being CBC-MAC with $k'$ and $IV'$, and $k=k'$, $IV=IV'$. The data $x=x_1\mathbin\|x_2\mathbin\|\ldots\mathbin\|x_t$ can then be processed in a single CBC pass, since the CBC-MAC is equal to the last ciphertext block $c_t=E_k(c_{t−1}\oplus x_t)$, and the last data block is $x_{t+1}=c_t$, yielding final ciphertext block $c_{t+1}=E_k(c_t\oplus x_{t+1})=E_k(0)$. The encrypted MAC is thus independent of both plaintext and ciphertext, rendering the integrity mechanism completely insecure. Care should thus be taken in combining a MAC with an encryption scheme. In general, it is recommended that distinct (and ideally, independent) keys be used.

Why is it problem that MAC is independent of both plaintext and ciphertext? Are there any instances where an attacker could use this fact? (I know that MAC-then-encrypt structure vulnerable to padding oracle attack.. however, in that case, the attacker could perform the actual attack.) I think that encrypted MAC part always results in 0 being encrypted, but there is no practical way to exploit this fact. Isn't it?

Answer 1

Why is the comment needed that encrypted MAC part is constant?

With the scheme in the question, in a cryptogram with the correct MAC, the last block of the encrypted message is a constant. Importantly, that goes both ways: if the last block of the encrypted message is that constant, then the MAC is correct and whatever plaintext is deciphered will pass the MAC test.

This allows forgery: an adversary can observe one encrypted message, get that constant, and from then on forge encrypted messages that will pass the MAC check after decryption. That goes against the purpose of ensuring integrity of the (deciphered) message.

We combined a secure encryption, and a secure MAC (for constant message length), and got an insecure combination (w.r.t. the goal of the MAC) because we did not obey the principle: a key shall only serve one purpose (or: one use, one key).

---

In the context, it gets worse than letting garbage pass the MAC check: CBC encryption is malleable enough that the adversaries can partially choose the deciphered plaintext. For example, with a long known plaintext, they can copy/paste large segments of ciphertext, cutting at block boundaries, and that does the same for deciphered plaintext, albeit with one block of garbage after each cut. Other example (that can combine): an adversary can put an arbitrary chosen value one block wide in the deciphered plaintext, by putting it in a ciphertext block followed by a copy of the last block $E_k(0)$.