In addition to providing a standard for public-key certificate formats, X.509 specifies an authentication protocol. The original version of X.509 contains a security flaw. The essence of the protocol is A-B: AA.FA.IDB) B-A: BB.B.IDA.Al A-B: A (B) where I and I are timestamps, and rg are nonces, and the notation X (Y) indicates that the message Y is transmitted, encrypted, and signed by X. The text of X.509 states that checking timestamps A and tg is optional for three-way authentication. But consider the following example: Suppose A and B have used the preceding protocol on some previous occasion, and that opponent C has intercepted the preceding three messages. In addition, suppose that timestamps are not used and are all set to 0. Finally, suppose C wishes to impersonate A to B. C initially sends the first captured message to B: C-B: A (0.A. IDB) B responds, thinking it is talking to A but is actually talking to C: B-C: B(0.rg. IDATA) C meanwhile causes A to initiate authentication with C by some means. As a result, A sends C the following: A-C: A (0.A. IDC) C responds to A using the same nonce provided to C by B. C-A: C{0.. IDA.Al A responds with A-C: Aral This is exactly what C needs to convince B that it is talking to A, so C now repeats the incoming message back out to B. C-B: Arsl So B will believe it is talking to A, whereas it is actually talking to C. Suggest a simple solution to this problem that does not involve the use of timestamps

Transcribed Image Text:

In addition to providing a standard for public-key certificate formats, X.509 specifies an authentication protocol. The original version of X.509 contains a security flaw. The essence of the protocol is A B: AAA. IDB) BA: A B: A (B) where I and I are timestamps, A and rg are nonces, and the notation X (Y) indicates that the message Y is transmitted, encrypted, and signed by X. BIB.FB.IDATA) The text of X.509 states that checking timestamps A and tg is optional for three-way authentication. But consider the following example: Suppose A and B have used the preceding protocol on some previous occasion, and that opponent C has intercepted the preceding three messages. In addition, suppose that timestamps are not used and are all set to 0. Finally, suppose C wishes to impersonate A to B. C initially sends the first captured message to B: C-B: A (0.A. IDB) B responds, thinking it is talking to A but is actually talking to C: B-C: B(0.g. IDA-TA C meanwhile causes A to initiate authentication with C by some means. As a result, A sends C the following: A-C: A (0.A. IDC) C responds to A using the same nonce provided to C by B. C-A: C{0.. IDA.Al A responds with A-C: Aral This is exactly what C needs to convince B that it is talking to A, so C now repeats the incoming message back out to B. C-B: Aral So B will believe it is talking to A, whereas it is actually talking to C. Suggest a simple solution to this problem that does not involve the use of timestamps.