An online e-commerce website allows a user to login to the website uses username and password. To avoid password leakage during data transmission, the website introduces the following login protocol between the client PC and the website:
1. User enters his username (U) and password (P) to the client PC
2. The client PC sends the username (U) to the website in plain form
3. The website extracts the password (P) for the username (U) from his password database, generates a random number N, and encrypts N with SHA1(P) as the key using AES, then sends the encrypted result back to the client PC
Copyright By PowCoder代写 加微信 powcoder
4. The client PC decrypts the reply from the website using SHA1(P) and obtains N
5. The client then encrypts the value N – 1 with SHA1(P) as the key using AES, then sends the encrypted result to the website again
6. The website decrypts the message from the client to obtain the value N – 1 and the login is successful
7. The client PC and the website then communicate without any encryption.
Consider the following attack in which the hacker listens to the communication between the Client and the website:
a) Can the hacker obtain the Client’s password (P)? Why?
b) In order to protect the communication between the client and the website, it is suggested the communication in step 7 above be encrypted with the password (P) as the key using AES-128. If P is less than 128 bits, it is padded with 0 to create a 128 bits key. What is the problem with such approach if the average password length is 6? Explain your answer.
The Internet
The Internet
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com