Alice would like to send confidential and authenticated messages for Bob. Consider the following security protocol between Alice, Bob, using a trusted Server. Notation: E(M,K) encryption of message M with key K; D(M,K) decryption of message M with key K; Sign(M,K) signature of message M with key K, KD-X is the private key of X, KE-X is the public key of X, K_session is a secret key, Id-X is the identity of X, h(M) is the hash value of message M, Time1 is a time stamp, and || denotes a concatenation of the messages. Assume, Alice and Bob know the Servers public key (KE-S) in a reliable manner.

Message 1: A S: Request signed public keys for A and B

Message 2: S A: Sign([KE-B || Id-B], KD-S) || Sign([KE-A || Id-A], KD-S)

Why did the Server sign both KE-B and KE-A?

Message 3: A B: Sign([KE-A || Id-A], KD-S) || E( K_session, KE-B) || E (M, K_session) || Sign(h(M), KD-A)

How can B verify that message originated from A?

What happens if a passive attacker intercepts this message?

Message 4: B A: E (ACK, K_session)

What will Alice know after receiving the acknowledgment from Bob?

Assume that the protocol is modified as follows:

Message 1: A S: Request signed public keys for A and B

Message 2: S A: (Bobs key || Sign(KE-B, KD-S)) || (Alices key || Sign(KE-A, KD-S))

Message 3: A B: Alices key || Sign(KE-A, KD-S) || E( K_session, KE-B) || E (M, K_session) || Sign(h(M), KD-A)

Message 4: B A: E (ACK, K_session)

Show how Eve can attack the protocol such that she can disclose the message M.