Suppose we are using a three-message mutual-authentication protocol, and Alice initiates contact with Bob. Suppose we wish Bob to be a stateless server, and it is therefore inconvenient to require him to remember the challenge he sent to Alice. Let us modify the exchange so that Alice sends the challenge back to Bob, along with the encrypted challenge. So the protocol is as shown in Figure 1. Is this protocol secure? Justify your answer.

Figure 1: Exchange for stateless server

Consider Figure 2 below. Suppose Alice and Bob share a secret key kAB. They use the protocol shown in Figure 2 for mutual authentication. Determine the pitfalls of this protocol.

Figure 2: Mutual Authentication Based on Shared Secret kAB

Reflection attack: Suppose Oscar wants to impersonate Alice to Bob using the protocol in Figure 2. He starts the protocol by claiming to be Alice and sending a nonce N1. When he gets the response and the challenge N2, he cannot proceed further. However, note that he has managed to get Bob to encrypt the nonce N1 for him using the key kAB. Next suppose he starts a second session with Bob, but uses N2 as the initial challenge.

Show the steps by which he can successfully complete the first session.

How can this attack be foiled?

Consider the exchange between Alice and Bob shown in Figure 4 that Oscar can eavesdrop. After this exchange, Alice and Bob decide to use E_kAB(N+1) as the session key for encrypting communications. How can Oscar decrypt this communication without breaking the encryption scheme? Hint: Assume that Oscar can masquerade as Bob to Alice the next time she tries to connect to Bob.

Figure 3: C-R followed by key agreement

l'm Alice kAB