------------------------------------------------------------------------------
Mohamed G. Gouda                                		CS 386S
Spring 2008                                     		Quiz 4
------------------------------------------------------------------------------

Consider a mutual authentication protocol between processes p and q. In this
protocol, process p has a public key B.p and a private key R.p, and process q 
has a public key B.q and a private key R.q. Each process knows its private key
and the public keys of both processes. The protocol consists of four steps as 
follows:

	p --> q : 	np
	p <-- q :	R.q <B.p <np, nq, s> >
	p --> q :	s <nq>
	p <-- q	:	s <nq+1>

where 	np is a nonce selected randomly by p, and 
	nq and s are two nonces selected randomly by q.

What should the session key, computed by this protocol, be? Explain your 
answer. Also briefly explain why is this protocol correct. 

-------------------------------------------------------------------------------
Student Name:
Student EID :
-------------------------------------------------------------------------------
Solution:

The session key can be H(np, nq), H(np, s), or H(np, nq, s). For simplicity,
we assume that the session key is H(np, nq). 

That this protocol is correct follows from the fact that the following six 
conditions hold:

1. Integrity Verification by p: 
   The session key is constructed using the two nonces np and nq. The nonce 
   np was selected by p. And the nonce nq was selected by q as indicated by 
   the second message, which was signed using R.q, in the protocol.

2. Confidentiality Verification by p:
   The nonce nq is sent in the second message of the protocol encrypted by
   B.p and signed by R.q. Thus, only p and q can obtain the nonce nq which
   is part of the session key.

3. Freshness Verification by p:
   The nonce np, which is part of the session key, is selected randomly by 
   process p.

4. Integrity Verification by q:
   The session key is constructed using the two nonces np and nq. The nonce
   nq was selected by q. And the nonce np was selected by p because otherwise
   p would not have sent the third message in the protocol. Note that only
   p could have sent the third message after receiving the second message 
   in the protocol.

5. Confidentiality Verification by q:
   Process q sent the nonce nq encrypted using B.p in the second message of 
   the protocol. Thus, only p and q can obtain the nonce nq which is part
   of the session key.

6. Freshness Verification by q: 
   The nonce nq, which is part of the session key, is selected randomly by
   process q.

Note that no part of this argument referred to the fourth message in the 
protocol. Thus, the fourth message in the protocol is redundant.