|
14.3
|
The original three-way authentication procedure for X.509
illustrated
in Figure 14.6c contains a security flaw. The essence of the protocol is as
follows
:
|
A
B:
|
A{
t
A
, r
A
, ID
B
}
|
|
B
A:
|
B{
t
B
, r
B
, ID
A
, r
A
}
|
|
A
B:
|
A{
r
B
}
|
The text of X.509 states that checking timestamps
t
A
and
t
B
is optional for three-way authentication. But consider the following example: Suppose A and B have used the
preceding
protocol on some previous occasion, and that
opponent
C has intercepted the preceding three messages. In addition, suppose that timestamps are not used and are all set to 0. Finally, suppose C wishes to impersonate A to B. C initially sends the first captured message to B:
|
C
B:
|
A{0,
r
A
, ID
B
}
|
B responds, thinking it is talking to A but is actually talking to C:
|
B
C:
|
B{0,
r'
B
, ID
A
, r
A
}
|
C meanwhile causes A to initiate authentication with C by some means. As a result, A sends C the following:
|
A
C:
|
A{0,
r'
A
, ID
C
}
|
C responds to A using the same nonce provided to C by B.
|
C
A:
|
C{0,
r'
B
, ID
A
, r'
A
}
|
{% if main.adsdop %}{% include 'adsenceinline.tpl' %}{% endif %}
A responds with
|
A
C:
|
A{
r'
B
}
|
This is exactly what C needs to convince B that it is talking to A, so C now repeats the incoming message back out to B.
|
C
B:
|
A{
r'
B
}
|
So B will believe it is talking to A whereas it is actually talking to C. Suggest a simple solution to this problem that does not involve the use of timestamps.
|
|
14.4
|
The 1988 version of X.509 lists properties that RSA keys must
satisfy
to be secure, given current knowledge about the difficulty of factoring large
numbers
. The discussion concludes with a constraint on the public exponent and the
modulus
n
:
It must be ensured that
e
> log
2
(n) to prevent attack by taking the
e
th root mod
n
to disclose the plaintext.
Although the constraint is correct, the reason given for requiring it is incorrect. What is wrong with the reason given and what is the correct reason?
|
