Tags: cbc crypto 

Rating:

We are given a cyphertext encrypted with AES-CBC, IV and the beginning
of the plaintext. The task is to mangle it so that after decryption the
beginning of the plaintext would begin with another given string.
All bits that have to be changed are in the 1st block (128 bit). in cbc mode the first block is encrypted this way:
CT[0] = enc(PT[0] ^ IV)
and decrypted:
PT[0] = dec(CT[0]) ^ IV
So
if the n-th bit of IV is changed, the n-th bit of PT is changed too. We
can calculate IV` = IV ^ PT[0] ^ PT`[0]. And if we provide the user
with IV` instead of IV he will get PT` instead of PT after decrypting.
The flag is IV`