The table below shows the authentication protocol, wherein pwd is Albert\'s pass

Question

The table below shows the authentication protocol, wherein pwd is Albert's password and K is a key derived from pwd. Can an attacker that can eavesdrop messages (but not intercept or spoof messages) obtain pwd by off-line password guessing? If you answer no, explain briefly. If you answer yes, describe the attack.

Albert (has pwd)

Bob (has K)

send [conn] to Bob  

generate random challenge Ram

send [Ram]

compute K from pwd

compute A encrypt(Ram) with key K

send [A] to Bob  

compute B decrypt(A) with key K

if B = Ram then Albert is authenticated

Albert (has pwd)

Bob (has K)

send [conn] to Bob  

generate random challenge Ram

send [Ram]

compute K from pwd

compute A encrypt(Ram) with key K

send [A] to Bob  

compute B decrypt(A) with key K

if B = Ram then Albert is authenticated

Explanation / Answer

The whole protocol of authentication shown in the table is the following:

Now let's look at the attacker. It is given that the attacker can only eavesdrop (but can't spoof or intercept anything). So, attacker is able to view only the following two information:

The attacker has to try to obtain the password from the above two pieces of information.

So, attacker has the following two steps to accomplish:

So, even if attacker accomplishes step 1, the next step is almost unlikely to suceed. So, the attacker most probably can't find the pwd by offline guessing.

Related Questions

Navigate

• Browse (All)
• Browse T
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.