In a system using public-key cryptography, site B wants to fool C by impersonating A. B waits until A requests to communicate with B. A does this by sending an “I want to communicate” message to B, stating its name (A) and encrypted with B’s public key. Then B springs the trap. It sends an “I want to communicate” message to C claiming it is A and encrypted with C’s public key. To ensure that it is actually communicating with A, C replies (to B) with a message obtained by encrypting a large random number, N , w ith A’s public key. If C gets a response containing N + 1 encrypted with C’s public key, it would like to conclude that the responder is A because only A could have decrypted C’s message. C gets such a response. However, this conclusion is wrong because the

response comes from B. Explain howthis could have happened. (Hint: The protocol can be corrected if the encrypted text of each message includes the name of the sender.)

What will be an ideal response?

---

C replied to B (thinking it was A). When B gets the encrypted message, containing N , it cannot decrypt it, but it sends the message to A using the same protocol. A ecrypts the message and encrypts N + 1 w ith B’s public key since it is trying to complete the protocol with B. B decrypts the message, re-encrypts it with C’s public key, and sends it to C.
If the protocol requires that the encrypted text of each message includes the name of the sender, A would know the message it received from B was constructed by C and not by B.