Key agreement$/$IKE $(10-5-10$ points$)$:

$($a$)$ Consider the following key exchange protocol which is similar to IKE Phase $1$ Aggressive

Mode. p is a large prime number and g is a generator of Z$$

p $.$

$1.$ A $$ B : ga mod p$,\{$Alice$\}$Bob$,\{$RA$\}$Bob

$2.$ A $$ B : gb mod p$,\{$Bob$\}$Alice$,\{$RB$\}$Alice$,$ proofB

$3.$ A $$ B : proofA

where

proofA $=$ h$($gab mod p$,$ ga mod p$,$ gb mod p$,$Alice$)$

proofB $=$ h$($gab mod p$,$ gb mod p$,$ ga mod p$,$Bob$)$

K $=$ h$($gab mod p$)$

i$)$ First explain if the protocol authenticates A and B$,$ and achieves secure key agreement

$($discuss key control and key authentication$).\{$m$\}$X denotes a message m encrypted with

public key of x$.$

ii$)$ Modify the protocol so that RA and RB can be eliminated but the protocol can mutually

authenticate A and B$.$ In your modification, no additional protocol message, secret

keys or signature can be used.

$($b$)$ Consider the following simplified IKE Phase $1$ in Aggressive Mode.

A $$ B : $$Alice$,$Bob$,$ ga mod p

A $$ B : $$Bob$,$Alice$,$ gb mod p$,[$ga mod p$]$B

A $$ B : $$Alice$,$Bob$,[$gb mod p$,$ ga mod p$]$A

$[$X$]$A denotes a signature on message X generated by A$.$ The session key established

between A and B is gab mod p$.$ Show that this simplified version is insecure $($allows

attacker to establish a key with one of the participants while pretending to be the other

participant$).$ Hint: consider that this IPSec system has multiple users.