Q1) Because of known risks of the UNIX password system, it has been recommended that the system be replaced by an alternative system that uses public key cryptography, RSA for example. In this system the standard UNIX password file is replaced with a publicly readable file /etc/publickey. An entry in the file for user A consists of a user’s identifier IDA, the user’s public key, PUA, and the corresponding private key PRA. This private key is encrypted using DES with a key derived from the user’s login password PA. When A logs in, the system decrypts E[PA, PRA] to obtain PRA.
(a) How might the system derive the secret key for DES from the user’s login password PA?
(b) When A logs in, the system verifies that PA was correctly supplied. How?
(c) In terms of password security, does this method offer more, less or the same level of security as the standard UNIX password system? Justify your answer.
