[tptacek]

I'm not sure I totally follow this (you seem to be talking about an attack on CBC mode, but the mode you're describing sounds more like CTR mode), but a good rule of thumb is, without explicit authentication, attackers can alter and often rewrite messages even though all they can see is ciphertext.

But there are even more problems than that with unauthenticated encryption. If you don't authenticate there is a good chance attackers will be able to decrypt your messages wholesale.

[forgotusername]

> decrypt your messages wholesale.

Eek, that sounds fun :) Tell us more?

[Nursie]

If they can get your system to tell them if a message is valid somehow, perhaps by making thousands of attempts to pass a message and noting where it says 'login failed' or '404' instead of invalid message (for instance) then there are all sorts of things that can be done to recover messages and keys.

I highly recommend Dan Boneh's crypto 101 on coursera for anyone that has the time.

[tptacek]

The CBC padding oracle is one such attack. There are a bunch of similar ones. They're "chosen ciphertext" attacks.

Again, even if you get this part right, there are other things that go wrong. TLS is authenticated, and it fell to two adaptive chosen plaintext attacks because of two different implementation details they messed up. And no public cryptosystem in the world has been as thoroughly tested and analyzed as TLS.

[pjscott]

There's an entertaining article about one such attack here:

http://blog.cryptographyengineering.com/2011/10/attack-of-we...

For some mind-boggling reason, the designers of the XML Encryption standard decided to make authentication optional, so an attacker can simply avoid sending an incorrect MAC.