Because of the known risks of the UNIX password system, the SunOS-4.0 documentat
ID: 3704984 • Letter: B
Question
Because of the known risks of the UNIX password system, the SunOS-4.0 documentation recommends that the password ?le be removed and replaced with a publicly readable ?le called /etc/publickey. An entry in the ?le for user A consists of a user’s identi?er IDA, the user’s public key, PUa, and the corresponding private key PRa. This private key is encrypted using DES with a key derived from the user’s login password Pa. When A logs in, the system decrypts E(Pa,PRa)to obtain PRa. (a) The system then veri?es that Pa was correctly supplied. How? (b) How can an opponent attack this system?
Explanation / Answer
A publicly readable password file consists of following details:
User identifier IDA
Public key of the client PUa
Private key of the client PRa which is encrypted with a key derived from user password Pa utilizing DES i.e. E(Pa, PRa)
Verification of Pa:
The private key and public key of a client are inverse of each other, in order to accept Pa, the approximation of the PRa can be checked.
This should be possible by essentially taking a self-determined block X
To start with, adjust the public key of the client with X
At that point adjust the obtained encrypted value with the private key of the client PRa i.e.
X = D(PRa, E[PUa,X])
The framework calculate the encrypted private key by using the key obtained from the login password. The framework encodes an arbitrary bit of content utilizing the decrypted private key. The framework decodes this encrypted content by using the public key. When decoded content matches, at that time an opponent can attack the system.