Consider the following key establishment protocol:
| A -> B: | A |
| B -> A: | N |
| A -> B: | E_Kas(N|K) |
| B -> S: | E_Kbs(A|E_Kas(N|K)) |
| S -> B: | E_Kbs(N|K) |
Notations:
A and B are the two main parties of the protocol
S is a trusted server
N is a nonce generated by B
K is a new session key generated by A
Kas and Kbs are long-term keys shared between A and S, and between B and S, resp.
E_K(.) denotes encryption with key K
| denotes concatenation.
The goal of the protocol is to setup a new shared session key between A and B. Party A generates the key and the protocol uses the already existing long-term keys between the parties and the server to transfer the key securely from A to B via the server S. Freshness of the key for B is ensured by using a nonce N, which is generated by B, sent to A, and received back later by B. Freshness of the key for A is trivially ensured by the fact that A generates the key.
In details the protocol works as follows: A starts the protocol by identifying herself to B. B generates a new nonce N and sends it to A. A generates a new key K, and sends it together with the nonce N to B encrypted with key Kas. B cannot decrypt this message. He encrypts it with Kbs and sends the result to the server. The server decrypts everything, checks that the identifiers match the long-term keys used for decryption, and then encrypts the key and the nonce with B's long-term key. B can now decrypt this message, check the fresness by verifying the nonce, and accepts the key K.
You should analyze the protocol and find attacks against it! There are multiple errors in the protocol that can be successfully exploited by attacks. A useful source could be the following article, which is recommended to read before you start constructing attacks:
You should hand in a short (3-4 pages) write-up that contains the description of the attacks you found, and the description of a fixed protocol! Please, send the write-ups in PDF format to the e-mail address: buttyan@crysys.hu
Deadline: November 30, 2015.