Chapter 3 Cryptography 85
Applications of Cryptography
4. Perform the encryption and decryption using the RC4 cipher with the established
key. If the application requires multiple session keys, use a message digest on the
agreed-upon secret value and a counter to generate a new key.
There is an attack against this kind of protocol known as “man-in-the-middle.”
Someone could intercept all messages between the two parties and pose as each
individual’s other participant. For example, if Alice wants to communicate with Bob,
she sends a message to initiate a session. The man-in-the-middle intercepts Alice’s
message, builds a secure session with Alice, and initiates his own session with Bob.
Now, all messages Alice sends to Bob go through the attacker. The man-in-the-middle
decrypts Alice’s messages based on the session he created with Alice and saves the
results to examine later. He then re-encrypts the message based on the session he
created with Bob. If a particular application is vulnerable to such an attack, it is
advisable to use a peer-to-peer protocol (see page 86) instead.
Client/Server Applications
A client/server application is distinguished by one central server node that provides
services to several client nodes. Many client/server applications have a need for
cryptographic tools. For example:
• Network applications: Any network that connects several computer nodes to one
central server, such as a local or wide area network, can use cryptography to
establish secure communications between the clients and the server. The network
can also employ authentication to guarantee that intruders do not have access to
the network.
• Database applications: Multiple clients — in this case, database queries — need
access to a server — the database. To ensure that not all fields in the database are
accessible to all clients, restricted fields can be encrypted or signed. In addition,
by distributing secret shares among authorized personnel, you can ensure that
very sensitive data can be accessed only according to the security rules.
• Cryptographic smart cards: Here, you must authenticate users to service providers
such as banks. A smart card holds the individual private keys and includes a
processor that runs the cryptographic algorithms needed to achieve the
appropriate authentication level.
In all these applications, the server generates a public/private key pair for use with all
clients requiring secure communications. The server uses the private key to sign
digital certificates for all nodes that require access to the server and its resources.
It also starts a public key table to register client RSA public keys. Each client computes
an RSA public/private key pair when it is first established as a secure client. The
