Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

Problem 14.6 on pp 448-449 of the textbook (Cryptography-and-Network-Security-Pr

ID: 3869446 • Letter: P

Question

Problem 14.6 on pp 448-449 of the textbook (Cryptography-and-Network-Security-Principles-and-Practice-6th-Edition)

14.6 Consider the following protocol, designed to let A and B decide on a fresh, shared session key K=AB. We assume that they already share a long-term key KAB. 1. AS B:A, NA.

2. B S A:E(KAB, [NA, K=AB])

3. AS B:E(K=AB, NA)

a. We first try to understand the protocol designer’s reasoning: —

Why would A and B believe after the protocol ran that they share K=AB with the other party? —

Why would they believe that this shared key is fresh?

In both cases, you should explain both the reasons of both A and B, so your answer should complete the sentences

A believes that she shares K=AB with B since…

B believes that he shares K=AB with A since…

A believes that K=AB is fresh since…

B believes that K=AB is fresh since…

b. Assume now that A starts a run of this protocol with B. However, the connection is intercepted by the adversary C. Show how C can start a new run of the protocol using reflection, causing A to believe that she has agreed on a fresh key with B (in spite of the fact that she has only been communicating with C). Thus, in particular, the belief in (a) is false.

c. Propose a modification of the protocol that prevents this attack.

Explanation / Answer

A believed that he would share KAB with B as the nonce returned through message #2 which had the encryption with the key which was only present with B. B believed that she would share KAB with A as N A had the encryption with with K AB, that was only retrievable through message #2 by the person who knew K AB. A believed that K AB is fresh as it is part of the message #2 along with NA (surely message #2 has been created after the creation of message #1 is sent). B knows that K AB is fresh as it was created by him only.

(b) Below interleaved run of the protocol is considered:

1: A C (B): A, NA.

1: C(B)A: B, NA.

2: AC(B): {NA, KAB} KAB.

2: C(B)A: {NA, KAB} KAB.

3: AC(B): {NA} KAB.

C will not be encrypting A:s nonce. Hence he requires message #2. So he begins a new run with A, and lets A encrypt and reply back is reflected. A accepts unprimed protocol run and believes B is there.

(c) So as to avoid the attack, one needs be extra explicit with messages, for instance, changes message #2 so that it contains sender & receiver respectively, which means {A,B,NA,KAB} KAB

Related Questions

Problem 14.26 From a height of 40.0 m , a 1.50 k g bird dives (from rest) into a
Question #1387105
Problem 14.29 High-altitude mountain climbers do not eat snow, but always melt i
Question #1510454
Problem 14.30 The following data were collected for the rate of disappearance of
Question #1010780
Problem 14.32 says: determine the energy loss as a result of the series of colli
Question #1770704
Problem 14.33 Treatment for a stroke. One suggested treatment for a person who h
Question #1509754
Problem 14.34 A cube of ice is taken from the freezer at -6.5 C and placed in a
Question #1475899
Problem 14.34 Part A A cube of ice is taken from the freezer at-65C and placed i
Question #1793198
Problem 14.36 The evaporation of sweat is an important mechanism for temperature
Question #1505059

Navigate

Previous
Problem 14.6 in C++ How to Program(9th Edition) by Deitel, Paul; Deitel, Harvey
Next
Problem 14.65 The rate of the reaction C H 3 C O O C 2 H 5 ( a q ) + O H ? ( a q