How can Malroy impersonate Alice in the Wide Mouth Frog protocol?

Question

How can Malroy impersonate Alice in the Wide Mouth Frog protocol?

Notation:

• A: Alice
• B: Bob
• S: Trusted server

---

• Ta: Timestamp A
• Ts: Timestamp S

---

• Kab: Session key between A and B
• Kas: Session key between A and S
• Kbs: Session key between B and S

Protocol:

step 1:
A->S:A,{Ta,Kab,B}Kas

step 2:
S->B:{Ts,Kab,A}Kbs

Answer 1

The problem with this protocol is that there is no authentication system in place. Secrecy and authentication are separate concepts that often require separate primitives in order to solve. This protocol is simplistic in that the only primitive it utilizes is a symmetric cipher, which doesn't normally take authentication into consideration (Using cmac mode does, but this alone isn't a simple fix for this protocol.)

In an active MITM attack the attacker can sit between any or all of the archetypal characters. In this protocol the attacker wants to be an active MITM between the trusted server and Alice, and between the trusted server and bob. The trusted server knows all keys in this protocol and Both Alice and bob are assuming that this server is telling the truth. However if both Alice and bob where to connect to Mallory (someone who can modify the message), then the attacker can distribute his own keys thus defeating this protocol.