<![CDATA[
# T2
**Deadline:** Wednesday, October 17, 2018 at 11:59 pm
*This assignment should be completed individually.*
##Problem 1
Below are three simple authentication protocols, where r is a nonce,
```x*y``` denotes multiplication, and ```x**y``` denotes exponentiation.
```
Protocol 1:
1. B --> A: B,r (where r is fresh at B)
2. A --> B: Enc((A*B)+r; K_AB)
3. B: Let m be message received
Check whether Dec(m; K_AB) = (A*B)+r
```
```
Protocol 2:
1. B --> A: B
2. A --> B: Enc((A**B); K_AB)
3. B: Let m be message received
Check whether Dec(m; K_AB) = (A**B)
```
```
Protocol 3:
1. B --> A: B,r (where r is fresh at B)
2. A --> B: Enc((A**B)+r; K_AB)
3. B: Let m be message received
Check whether Dec(m; K_AB) = (A**B)+r
```
Attacker M desires to impersonate A to B. For which protocols will M
succeed? Give attacks (using the same protocol syntax used in class and
above) or describe the reason the protocol is secure.
##Problem 2:
Consider the following schematic version of a key distribution protocols
similar to those we discussed in class:
```
1. A --> KDC: A, B, r (where r is fresh at A)
2. KDC --> A: A, B, Enc(x, K_AB; K_A), Enc(y, K_AB; K_B)
3. A --> B: A, B, Enc(y, K_AB; K_B)
```
where x and y denote finite strings constructed from the three symbols
"A" , "B" , and "r" . Different choices of x and y that a protocol
designer makes could lead to protocols having different properties. This
question explores the implications of the choices that the protocol
designer might make.
(a) Give replacements for x and y that make it possible for an adversary
M to perform a man-in-the-middle attack that allows M to read all
messages exchanged between A and B, but makes it impossible for M to
perform replay attacks on message 2. Exhibit the man-in-the-middle
attack (using standard protocol syntax). Explain why the replay attack
will not work.
(b) Give replacements for x and y that make it impossible to perform
man-in-the-middle attacks that allow the adversary M to read messages
and impossible to perform replay attacks of message 2. Explain why
neither attack will work.
##Problem 3:
The following key distribution protocol is purported to defend against
the type attack against Otway-Rees discussed in class:
```
1. A --> B: n, A, B, Enc(r1, n, A, B; K_A)
2. B --> KDC: n, A, B, Enc(r1, n, A, B; K_A), Enc(r2, n, A, B; K_B)
3. KDC --> B: n, Enc(r1+1, K_AB; K_A), Enc(r2+1, K_AB; K_B)
4. B --> A: n, Enc(r1+1, K_AB; K_A)
```
Does this defense work? Either exhibit a type attack against this
revised protocol (using standard protocol syntax) or explain why the
attack is stopped by the changes.
## Feedback
This is the first time this course has been offered. In the interest of
improving future iterations of this course, please answer the following
questions:
1. How long did you spend on this assignment?
2. Any comments or feedback? Things you found interesting? Things you
found challenging? Things you found boring?
### Collaboration Policy
Each student should submit their own solution to this assignment. You may
discuss ideas with other students at a high-level, but under no
circumstances should you be looking at another student’s solution. Any
ideas that originated with another person should be cited.
### What to Submit
Submit your solution as a 4-page pdf to
<a href="https://submit.cs.pomona.edu">submit.cs.pomona.edu</a>.
Start each problem’s solution on a new page. Use at most 1 page per
problem. (Use the fourth page to answer the feedback questions.)
Submissions that fail to follow the submission guidelines may be subject
to a 10% deduction.
]]>