Due 2/17 at 11:59pm. No late assignments will be accepted.
Submit your solution using CMS. Prepare your solution as .doc, .docx, or .pdf, as follows:
Consider only Dolov-Yao attackers. You may assume that keys are unique.
Below are three simple authentication protocols, where r is a nonce, x*y denotes multiplication, and x**y denotes exponentiation.
Protocol 1:
1 B --> A: B,r (where r is fresh at B)
2 A --> B: {(A*B)+r}K_AB
3 B: Let m be message received
Check whether Dec(K_AB,m) = (A*B)+r
Protocol 2:
1 B --> A: B
2 A --> B: {(A**B)}K_AB
3 B: Let m be message received
Check whether Dec(K_AB,m) = (A**B)
Protocol 3:
1 B --> A: B,r (where r is fresh at B)
2 A --> B: {(A**B)+r}K_AB
3 B: Let m be message received
Check whether Dec(K_AB,m) = (A**B)+r
Attacker T desires to impersonate A to B.
For which protocols will T succeed?
Give attacks or describe the reason they fail.
Consider a schematic version of the key distribution protocols we discussed in lecture.
1 A --> KDC: A, B, r (where r is fresh at A)
2 KDC --> A: A, B, {x, K_AB}K_A, {y, K_AB}K_B
3 A --> B: A, B, {y, K_AB}K_B
where x and y denote finite strings constructed from the three symbols "A" , "B" , and "r" .
Different choices of x and y that a protocol designer makes could lead
to protocols having different properties.
This question explores the implications of the choices that the protocol designer
might make.
The following key distribution protocol is purported to defend against the type attack discussed in the notes against Otway-Rees.
1. A --> B: n,A,B, {r1,n,A,B}K_A
2. B --> C: n,A,B, {r1,n,A,B}K_A, {r2,n,A,B}K_B
3. C --> B: n, {r1+1,K_AB}K_A, {r2+1,K_AB}K_B
4. B --> A: n, {r1+1,K_AB}K_A
Does this defense work? Either exhibit a type attack against this revised protocol or explain why the attack is stopped by the changes.