The Internet of Broken Protocols: Showcase #6
(complete list of showcases: https://vnhacker.blogspot.com/search/label/The%20Internet%20of%20Broken%20Protocols ) It's been a while :-). Today I found this little gem while auditing an obscure security system. Please identify any weaknesses. You can post your solution as a comment or email me at thaidn@gmail.com. Enjoy! Notation: * E(K, bytes) is 3DES in CBC mode with zero padding and zero IV. Client and server share two 3DES keys K1 and K2, each has 24 bytes. 1/ Client sends hello. 2/ Server randomly generates and caches 8-byte RAND_S. Denote the first 4 bytes of RAND_S as S1, and the next 4 bytes as S2. Server sends RAND_S. 3/ Client randomly generates and caches 8-byte RAND_C. Denote the first 4 bytes of RAND_C as C1, and the next 4 bytes as C2. Client sends E(K1, RAND_S) || RAND_C. At this point the client computes the session key. It computes T = E(K2, C1 || S1 || C2 || S2). Denote the first 8 bytes of T as T1, and the next 8 bytes as T2. The session key K...