1. Kerberos version 4 uses an extension to CBC called propagating CBC (PCBC) mode for encryption (Appendix F). What is the property of this mode? How are encryption and decryption performed in PCBC mode?
2. Suppose that, in PCBC mode, blocks Ci
and Ci+1
are interchanged during transmission. Show that this affects only the decrypted blocks Pi and Pi+1
but not subsequent blocks.
3. In addition to providing a standard for public-key certificate formats, X.509 specifies an authentication protocol. The original version of X.509 contains a security flaw. The essence of the protocol is
A S B: A {tA, rA, IDB}
B S A: B {tB, rB, IDA, rA}
A S B: A {rB}
where tA
and tB
are timestamps, rA
and rB
are nonces, and the notation X {Y} indicates that the message Y is transmitted, encrypted, and signed by X.
The text of X.509 states that checking timestamps tA
and tB
is optional for three-way authentication. But consider the following example: Suppose A and B have used the preceding protocol on some previous occasion, and that opponent C has intercepted the preceding three messages. In addition, suppose that timestamps are not used and are all set to 0. Finally, suppose C wishes to impersonate A to B. C initially sends the first captured message to B:
C S B: A {0, rA, IDB}
B responds, thinking it is talking to A but is actually talking to C:
B S C: B {0, r
B
= , IDA, rA}
C meanwhile causes A to initiate authentication with C by some means. As a result, A sends C the following:
A S C: A {0, rA
= , IDC}
C responds to A using the same nonce provided to C by B.
C S A: C {0, r
B
= , IDA, rA
= }
A responds with
A S C: A {r
B
= }
This is exactly what C needs to convince B that it is talking to A, so C now repeats the incoming message back out to B.
C S B: A {r
B
= }
So B will believe it is talking to A, whereas it is actually talking to C. Suggest a simple solution to this problem that does not involve the use of timestamps.