Consider the key exchange protocol here:

1. A generates a random number R and sends to the server his name A, destination B, and E(Ka, R).

2. Server responds by sending E(Kb, R) to A.

3. A sends E(R, M) together with E(Kb, R) to B.
4. B knows Kb, thus decrypts E(Kb, R), to get R and will subsequently use R to decrypt E(R, M) to get M.

In this scheme, Darth can capture the message in steps 1 and replay them later. How can Darth fool the server to get the value of R?

How can Darth then fool B by sending messages encrypted with R and pretending that Darth is actually A?