In addition to providing a standard for public-key certificate formats, X.509 specifies an authentication protocol. The original version of X.509 contains a security flaw.

The essence of the protocol is

A B : A {t_A, r _A, ID_B}

B A : B {t_B , r_B , ID_A , r_A}

A B : A {r_B}

where t_A and t_B are timestamps, r_A and r_B are nonces, and the notation X {Y} indicates that the message Y is transmitted, encrypted, and signed by X.

The text of X.509 states that checking timestamps t_A and t_B is optional for three-way authentication. But consider the following example:

Suppose A and B have used the preceding protocol on some previous occasion, and that opponent C has intercepted the preceding three messages. In addition, suppose that timestamps are not used and are all set to 0. Finally, suppose C wishes to impersonate A to B.

C initially sends the first captured message to B:

C B:A {0, r_A, ID_B}

B responds, thinking it is talking to A but is actually talking to C:

B C:B {0, r_B, ID_A, r_A}

C meanwhile causes A to initiate authentication with C by some means. As a result, A sends C the following:

A C:A {0, r_A, ID_C}

C responds to A using the same nonce provided to C by B.

C A:C {0, r_B, ID_A, r_A}

A responds with

A C:A {r_B}

This is exactly what C needs to convince B that it is talking to A, so C now repeats the incoming message back out to B.

C B:A {r_B}

So B will believe it is talking to A, whereas it is actually talking to C.

Suggest a simple solution to this problem that does not involve the use of timestamps and show how would your solution solve this impersonating attack.