------------------------------------------------------------------------------
Mohamed G. Gouda			            Network Protocol Security
CS 395T					            HW2 Solution
------------------------------------------------------------------------------
1.

Here is a scenario where process p attempts to establish mutual authentication
with another process r and process r uses this opportunity to pretend to be p 
and successfully establish mutual authentication with a third process q. 

a. Process p sends a message B.r<n.p, p> to r.
b. Process r receives this message and sends a message B.q<n.p, p> to q.
c. Process q follows the protocol and sends a message B.p<n.p, n.q> to r.
d. Process r forwards the received message B.p<n.p, n.q> to p.
e. Process p follows the protocol and sends a message B.r<n.q, SK> to r.
f. From this message, process r knows both n.q and SK snd sends the message
   B.q<n.q, SK> to q.

-------------------------------------------------------------------------------
2.

BACK.u = {w}, FORE.u = {(u,v)}, CERT.u = {(u,v),(v,w),(v,x),(x,y)}

BACK.v = {u}, FORE.v = {(v,w),(v.x)}, CERT.v = {(v,w),(w,u),(v,x),(x,y)}

BACK.w = {v,x,y}, FORE.w = {(w,u)}, CERT.w = {(w,u),(u,v),(v,x),(x,y)}

BACK.x = {v}, FORE.x = {(x,w),(x,y)}, CERT.x = {(x,w),(w,u),(u,v),(x,y)}

BACK.y = {x}, FORE.y = {(y,w)}, CERT.y ={(y,w),(w,u),(u,v),(v,x)}

To prove that these values represent a fixed point for the protocol, it is
sufficent to prove that for each user z and each certificate (z,z') the 
following condition holds:

  update(CERT.z, FORE.z) = CERT.z  and  merge(CERT.z, CERT.z') = CERT.z

-------------------------------------------------------------------------------

3.

S  =	if m != MD.(x|nc|sk) --> skip			/not fresh data
      	[] m  = MD.(x|nc|sk) --> nc := NNC		/fresh data
	fi; send nxt(nc) to p

S' =	send nxt(nc) to p

There are two advantages of this protocol over the family of antireplay
protocols discussed in class. First, this protocol is correct for any value
of dl (the degree of loss) and dr (the degree of reorder). Second, if the
receiveing process in this protocol ever "loses its memory", then the adversary
can not replay more than one message.

------------------------------------------------------------------------------