Consider the following protocol, designed to let A and B decide on a fresh, shar
ID: 3865491 • Letter: C
Question
Consider the following protocol, designed to let A and B decide on a fresh, shared session key K'_AB. We assume that they already share a long-term key K_AB. 1. A rightarrow B: A, N_A. 2. B rightarrow A: E(K_AB, [N_A, K'_AB]) 3. A rightarrow B: E(K'_AB, N_A) a. We first try to understand the protocol designer's reasoning: -Why would A and B believe after the protocol ran that they share K'_AB with the other party? -Why would they believe that this shared key is fresh? In both cases, you should explain both the reasons of both A and B, so your answer should complete the sentences A believes that she shares K'_AB with B since... B believes that he shares K'_AB with A since... A believes that K'_AB is fresh since... B believes that K'_AB is fresh since... b. Assume now that A starts a run of this protocol with B. However, the connection is intercepted by the adversary C. Show how C can start a new run of the protocol using reflection, causing A to believe that she has agreed on a fresh key with B (in spite of the fact that she has only been communicating with C). Thus, in particular, the belief in (a) is false. c. Propose a modification of the protocol that prevents this attack.Explanation / Answer
Here is the solution of given criteria, please go through it:-
Part-A)
Part-B)
We consider the following interleaved runs of the protocol:
C is not able to encrypt A:s nonce,
Therefore, it needs to get help using message two. It then initiates a new run with A, letting A do the encryption and reflecting the reply back. A will accept the protocol run and believe that B is present. However, C does not get the session key.
Part-C)
In order to prevent this attack messages must be more specific. A way to achieve this is by having message two include the sender and receiver.
For example, {A, B, NA, K'AB}Kab.