In this chall, we're gonna use a standard language to represent messages exchanged between entities :

• entities will be represented by capital letters : A, B, C...Into messages, these letters represent identities
• Messages are represented this way : "A->B, M" means that A is sending to B a message M
• K represents a cyphering key : Kab is a key shared between A and B, Ka is A's public key, Ka- is A private key.
• {M}K is a message K ciphered with the K key, {M}Ka is ciphered with A's public key, and so {M}Ka- is signed with A's private key
• An intruder will be noted I, and we'll precise whom identity it wants to spoof this way : I(A) means that I wants to be seen as A. Intruders can intercept, alterate and destroy messages on the network
• Intruder can only read unciphered messages, or messages ciphered with a key the have (or if they have the complementary key, in case of asymetric ciphering)

Let's suppose this authentication protocol :

S is a key-creating server. It receives messages containing identities of 2 computers and a random number, and then creates and sends a shared key which will be used to encrypt communications between the 2 computers at stake. The key needs to be recalculate for each connection, but unfortunately, it will be allways the same between two fixed entities (A and B will allways share the same key)

For example, A wants to communicate with B, it needs a key. So the first message is :

1. A->S : A, B, Na

Na is a random number used to identify the session. S is creating a key for A and , and sends it back to A :

2. S->A : {Na, B, Kab, {Kab,A}Kbs}Kas

Na is a random number used to identify the session. As the second message is cyphered with the key shared between A and S, only A can read it. A reads Na to be sure this message is the answer waited, gets the Kab key. S sent a ciphered block, {Kab,A}Kbs, that A must send to B (only B can read it, it's cyphered with Kbs, a key shared between S and B :

3. A->B : {Kab,A}Kbs

B read this message, and now have the key to use. He sends a new random number to check if A is okey, and has the good key :

4. B->A : {Nb}Kab

A reads Nb, incrementes it, and sends it back to B, for it to check everything's good :

5. A->B : {Nb+1}Kab

And now, A and B can communicate using their kab shared-key. Everything rules in a perfect world.

But our world is hard and full of bad guys :( So an intruder I, spying the network, got the key shared between A and B. We'll note it CK (Compromised Key) far from now.

I wants B to think he's A. Write the sequence of messages leading to this spoofing (all messages exchanged, not only ones sent by I):

Message1 / Message2 / Messages3 / ...

Example : I(A)->S:{CK,Na}Kas/S->B:{CK,Kbs}Kbs