4.5 In addition to providing a standard for public-key certificate formats, X.509 specifies an authentication protocol.The original version of X.509 contains a security flaw.The essence of the protocol is A B: A {tA, rA, IDB} B A: B {tB, rB, IDA, rA} A B: A {rB} where tA and tB are timestamps, rA and rB are nonces, and the notation X {Y} indicates that the message Y is transmitted, encrypted, and signed by X. The text of X.509 states that checking timestamps tA and tB is optional for three-way authentication. But consider the following example: Suppose A and B have used the preceding protocol on some previous occasion, and that opponent C has intercepted the preceding three messages. In addition, suppose that timestamps are not used and are all set to 0. Finally, suppose C wishes to impersonate A to B. C initially sends the first captured message to B: C B: A {0, rA, IDB} B responds, thinking it is talking to A but is actually talking to C: B : C: B{0, roe B, IDA, rA} C meanwhile causes A to initiate authentication with C by some means. As a result,A sends C the following: C responds to A using the same nonce provided to C by B. A responds with This is exactly what C needs to convince B that it is talking to A, so C now repeats the incoming message back out to B. So B will believe it is talking to A, whereas it is actually talking to C. Suggest a simple solution to this problem that does not involve the use of timestamps. | |
| View Solution | |
| << Back | Next >> |