In addition to providing a standard for public-key certificate formats, X.509 specifies an authentication protocol. The original version of X.509 contains a security flaw. The essence of the protocol is as follows.

A→ B: A {t_A, r_A, ID_B}

B→ A: B {t_B, r_B, ID_A, r_A}

A→ B: A {r_B}

Where t_a and t_b are timestamps, r_aand r_b are nonces and the notation X {Y} indicates that the message Y is transmitted, encrypted, and signed by X. The text of X.509 states that checking timestamps t_Aand t_Bis optional for three-way authentication. But consider the following example: Suppose A and B have used the preceding protocol on some previous occasion, and that opponent C has intercepted the preceding three messages. In addition, suppose that timestamps are not used and are all set to 0. Finally, suppose C wishes to impersonate A to B. C initially sends the first captured message to B:

C→ B: A {0, r_A, ID_B}

B responds, thinking it is talking to A but is actually talking to C:

B → C: B {0, r’_B, ID_A, r_A}

C meanwhile causes A to initiate authentication with C by some means. As a result, A sends C the following:

A→  C: A {0, r_A’ , IDC}

C responds to A using the same nonce provided to C by B:

C→ A: C {0, r’_B, ID_A, r’_A}

A responds with

A→ C: A {r’_B}

This is exactly what C needs to convince B that it is talking to A, so C now repeats the incoming message back out to B.

C → B: A {r’_B}

So B will believe it is talking to A whereas it is actually talking to C. Suggest a simple solution to this problem that does not involve the use of timestamps.