21.03.2013 Views

Problem - Kevin Tafuro

Problem - Kevin Tafuro

Problem - Kevin Tafuro

SHOW MORE
SHOW LESS

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

When using RSA, if you’re doing one-way key transport, the client need not have a<br />

public key. Here’s a protocol:<br />

1. The client contacts the server, requesting a one-time public key.<br />

2. The server generates a new RSA key pair and signs the public key with its longterm<br />

key. The server then sends the public key and the signature. If necessary,<br />

the server also sends the client its certificate for its long-term key.<br />

3. The client validates the server’s certificate, if appropriate.<br />

4. The client checks the server’s signature on the one-time public key to make sure<br />

it is valid.<br />

5. The client chooses a random secret (the session key) and encrypts it using the<br />

one-time public key.<br />

6. The encrypted secret is sent to the server.<br />

7. The parties attempt to communicate using the session key.<br />

8. The server securely erases the one-time private key.<br />

9. When communication is complete, both parties securely erase the session key.<br />

In two-way authentication, both parties generate one-time keys and sign them with<br />

their long-term private key.<br />

See Also<br />

Recipes 8.17, 13.2<br />

8.22 Confirming Requests via Email<br />

<strong>Problem</strong><br />

You want to allow users to confirm a request via email while preventing third parties<br />

from spoofing or falsifying confirmations.<br />

Solution<br />

Generate a random identifier, associate it with the email address to be confirmed,<br />

and save it for verification later. Send an email that contains the random identifier,<br />

along with instructions for responding to confirm receipt and approval. If a response<br />

is received, compare the identifier in the response with the saved identifier for the<br />

email address from which the response was received. If the identifiers don’t match,<br />

ignore the response and do nothing; otherwise, the confirmation was successful.<br />

Confirming Requests via Email | 447<br />

This is the Title of the Book, eMatter Edition<br />

Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!