2. Server responds by sending E(Kb, R) to A.
3. A sends E(R,M) together with E(Kb, R) to B.
4. B knows Kb, thus decrypts E(Kb, R) to get R and will subsequently use R to
decrypt E(R,M) to get M.
You see that a random key is generated every time a message has to be sent. I admit
the man could intercept messages sent between the top secret trusted nodes, but I see
no way he could decrypt them."
"Well, I think you have your man, Lestrade. The protocol isn't secure because
the server doesn't authenticate users who send him a request. Apparently designers
of the protocol have believed that sending E(Kx,R) implicitly authenticates user X as
the sender, as only X (and the server) knows Kx. But you know that E(Kx, R) can be
intercepted and later replayed. Once you understand where the hole is, you will
be able to obtain enough evidence by monitoring the man's use of the computer he
has access to. Most likely he works as follows: After intercepting E(Ka, R) and
E(R,M) (see steps 1 and 3 of the protocol), the man, let's denote him as Z, will continue
by pretending to be A and...
Finish the sentence for Holmes.
4.2 There are three typical ways to use nonces as challenges. Suppose Na is a nonce generated
by A,A
Describe situations for which each usage is appropriate.