Consider a server-assisted mutual authentication and key establishment protocol. Assume that Alice and the Server share a pairwise symmetric key KAS, while Bob and the Server share a pairwise symmetric key KBS. During the protocol, the trusted Server generates a fresh, random session key K and distributes it to both Alice and Bob as follows:
1. Alice → Bob. A,NA where NA is fresh and random
2. Bob → Server. B,encKBS(A,NA,NB) where NB is fresh and random
3. Server → Alice. encKAS(B,NA,K),encKBS(A,K),NB where K is a fresh session key 4. Alice → Bob. ????
The goal of the protocol is to (1) establish a key that is only known to Alice and Bob (2) Alice and Bob are confident they are talking to each other (not someone else).
• What message should Alice send to Bob in step 4 of the protocol? Explain why your solution leads to a protocol that has the above two properties.
• Supposethesecondmessageoftheprotocol(fromBobtoServer)ischangedtoB,encKBS(A,NA),NB. In other words, Bobs nonce NB is not encrypted. Is the protocol still secure? Explain.
• Supposethethirdmessageoftheprotocol(fromServertoAlice)ischangedtoB,encKAS(NA,K) ,encKBS(A,K),NB. In other words, Bobs identity B is not encrypted. Is the protocol still secure? Explain.