Answer Happy

(b) In the public-key infrastructure (PKI), there are three parties: a trusted third party (A), a prover (B), and a verifier (C). The idea is that the identity of a party B can be verified by party C using information provided by A to B and C. To arrange this. party A generates two prime numbers, p and q, computes their product n, and also generates a pair of RSA encryption and decryption exponents, e and d using this n. They then publish (n.e) to parties B and C, and keep d, p and q secret. Party B sends their public identity P (a name and/or email) to party A, who returns to them the value of R = p-1 mod n, which serves as B's secret. Now, the identification protocol can proceed in the following way. Step 1. Party B generates a random number k € (1.n-1) and computes T = k mod n, which they then send to C, while keeping the value k secret. Step 2. C chooses a random number a € [0,e-1) and sends it to B. Step 3. B computes b = k R mod n and sends b to B. Step 4. C accepts public identity Pof B as authentic if and only if T = p mod n. (1) Show that T = pl. bt mod n. 14 marks) (ii) Assuming party C knows the factorisation of n = p.4, show how they can obtain B's secret (ie, the value of R) from this protocol, only using publicly available e and P. (4 marks) (iii) Assuming an attacker knows in advance (i.e., before the start of the protocol), which value of a would be used by Cin Step 2, show how they can impersonate B. [4 marks) 2