------------------------------------------------------------------------------
Mohamed G. Gouda                                		CS 386S
Spring 2008                                     		Quiz#3
------------------------------------------------------------------------------

A process p needs to establish a session key sk with another process q under
the following three assumptions:

	1. Process p trusts a third process r.

	2. Process p has a private key R.p whose corresponding 
	   public key B.p is known to r.
 
	3. Processes q and r share a symmetric key S.q. 

Can process p obtain from process r a certificate that p can then use to 
establish a session key sk with process q? Explain your answer. 

-------------------------------------------------------------------------------
Student Name:
Student EID :
-------------------------------------------------------------------------------
Solution: The answer is no: p cannot obtain from process r a certificate that
p can then use to establish a session key sk with process q. Here is an 
explanation.

	a. The session key sk needs to be sent to process q encrypted 
	   using S.q, the only key that process q knows. Because process
	   r is the only other process that knows key S.q, process r is
	   the one that generates key sk, encrypts it using key S.q, and
	   forwards the encrypted sk as part of the certificate to 
	   process p, which then forwards the encrypted sk to process q.

	b. Process r also encrypts sk using the public key B.p of process
	   p as part of the certificate that is sent from process r to
	   process p

	c. From a and b, the certificate prepared by r and sent to p is 
	   of the following form: 
	   (r, q, t, B.p<r, q, t, sk, S.q<r, p, t, sk>>)  
	  
	d. The problem is that there is nothing in this certificate
	   that proves to p that r is the process that prepared this
	   certificate. An adversary could have prepared this certificate 
	   except that the prepared certificate is in fact of the form:
	   (r, q, t, B.p<r, q, t, sk, S.e<r, p, t, sk>>)
	   where process e is a process that will attempt to impersonate 
	   q as it communicates with process p. In this case, process
	   p cannot tell the difference between the two certificates.

------------------------------------------------------------------------------