Consider the following protocol, designed to let A and B decide on a fresh, shar
ID: 3642557 • Letter: C
Question
Consider the following protocol, designed to let A and B decide on a fresh, shared session key,Ks . We assume that they already share a long-term key, KAB.
1. A -> B: A, NA
2. B -> A: E(KAB, [NA, Ks])
3. A -> B: E(Ks, NA)
(a) First try to understand the protocol by explaining: why would A and B believe that after a
protocol run, they share Ks with the other party? Why would they believe that this shared
key is fresh?
(b) Assume now that A starts a run of this protocol with B. However, the connection is
intercepted by the adversary C. Show how C can start a new run of the protocol using
reflection, causing A to believe that she has agreed on a fresh key with B (in spite of the
fact that she has only been communicating with C). Thus, in particular, the belief in (a) is
false.
(c) Propose a modification of the protocol that prevents this attack.
Explanation / Answer
A)-A thinks that it shares K'AB with B because his/her nonce came back in message two encrypted with a key known only by A and B. -B thinks that it shares K'AB with A since NA was encrypted with K'AB. That could have only been done by someone who knew KAB using message two. Only A and B knew KAB. -A believes that K'AB is fresh since it is included in message two together with NA. Therefore, message two must have been constructed after message one was sent. -B knows that K'AB is fresh because he chose it himself. 2B) We consider the following interleaved runs of the protocol: 1) A ? C(B): A, NA 1' C(B) ? A: B, NA 2' A ? C(B): {NA, K'AB}Kab 2) C(B) ? A: {NA, K'AB}Kab 3) A ? C(B): {NA}k'ab C is not able to encrypt A:s nonce, therefore, it needs to get help using message two. It then initiates a new run with A, letting A do the encryption and reflecting the reply back. A will accept the protocol run and believe that B is present. However, C does not get the session key. 2C) In order to prevent this attack messages must be more specific. A way to achieve this is by having message two include the sender and receiver. For example, {A, B, NA, K'AB}Kab.