HW3:<br>
<br>
Part I:<br>
<br>
Q1:<br>
No, replay attacks are not possible since the server issues a new nonce every time.<br>
<br>
Q2:<br>
After going through the first two steps Oscar needs to respond to the server and complete the transaction by sending EkA(R2). But since Oscar does not have kA, he initiates a new login request with server but this time transmitting R2 as the nonce. The server responds by sending a new nonce R3, but also the nonce R2 encrypted by kA, EkA(R2). Oscar then transmits EkA(R2) as the response to server (step 3 of the protocol) from the first login attempt thus gaining access to the server.<br>
<br>
Q3:<br>
Addition of time stamps at each step could be one solution<br>
<br>
<br>
<br>
Part II:<br>
<br>
The protocol is not secure. The server doesn’t authenticate the sender. So an intruder Z can intercept EKa[R] and ER[M]. Then Z sends to the server the source name A, the destination name Z (his own), and EK a R [ ], as if A wanted to send him the same message encrypted under the same key R as A did it with B. 
 
The server will respond by sending EKz[R] to A and Z will intercept that because Z knows his key Kz, he can decrypt EKz[R], thus getting his hands on R 
that can be used to decrypt ER[M] and obtain M. 
 
<br>
<br>
<br>
<br>
<br>
Acknowledgment:
Parts of this HW was obtained from CS4601 taught at Indiana University Purdue University Indianapolis by Arjan Durresi.