Cryptography and Network Security (4th Edition)

[Page 431 (continued)]

14.5. Key Terms, Review Questions, and Problems

Key Terms

authentication

authentication server

Kerberos

Kerberos realm

lifetime

nonce

propagating cipher block chaining (PCBC) mode

public-key certificate

realm

sequence number

subkey

ticket

ticket-granting server (TGS)

X.509 certificate

Review Questions

14.1

What problem was Kerberos designed to address?

14.2

What are three threats associated with user authentication over a network or Internet?

14.3

List three approaches to secure user authentication in a distributed environment.

14.4

What four requirements were defined for Kerberos?

[Page 432]
14.5

What entities constitute a full-service Kerberos environment?

14.6

In the context of Kerberos, what is a realm?

14.7

What are the principal differences between version 4 and version 5 of Kerberos?

14.8

What is the purpose of the X.509 standard?

14.9

What is a chain of certificates?

14.10

How is an X.509 certificate revoked?

Problems

14.1

Show that a random error in one block of ciphertext is propagated to all subsequent blocks of plaintext in PCBC mode (Figure 14.9).

14.2

Suppose that, in PCBC mode, blocks Ci and Ci+1 are interchanged during transmission. Show that this affects only the decrypted blocks Pi and Pi+1 but not subsequent blocks.

14.3

The original three-way authentication procedure for X.509 illustrated in Figure 14.6c contains a security flaw. The essence of the protocol is as follows:

A B:

A{tA, rA, IDB}

B A:

B{tB, rB, IDA, rA}

A B:

A{rB}

The text of X.509 states that checking timestamps tA and tB is optional for three-way authentication. But consider the following example: Suppose A and B have used the preceding protocol on some previous occasion, and that opponent C has intercepted the preceding three messages. In addition, suppose that timestamps are not used and are all set to 0. Finally, suppose C wishes to impersonate A to B. C initially sends the first captured message to B:

C B:

A{0, rA, IDB}

B responds, thinking it is talking to A but is actually talking to C:

B C:

B{0, r'B, IDA, rA}

C meanwhile causes A to initiate authentication with C by some means. As a result, A sends C the following:

A C:

A{0, r'A, IDC}

C responds to A using the same nonce provided to C by B.

C A:

C{0,r'B, IDA, r'A}

A responds with

A C:

A{r'B}

This is exactly what C needs to convince B that it is talking to A, so C now repeats the incoming message back out to B.

C B:

A{r'B}

So B will believe it is talking to A whereas it is actually talking to C. Suggest a simple solution to this problem that does not involve the use of timestamps.

14.4

The 1988 version of X.509 lists properties that RSA keys must satisfy to be secure, given current knowledge about the difficulty of factoring large numbers. The discussion concludes with a constraint on the public exponent and the modulus n:

It must be ensured that e > log2(n) to prevent attack by taking thee th root mod n to disclose the plaintext.

Although the constraint is correct, the reason given for requiring it is incorrect. What is wrong with the reason given and what is the correct reason?

Related

Категории