From what I've read so far, nonces are random one-time values, which are sent in plaintext in addition to the ciphertext to verify identity of sender/receiver. Theoretically, if the nonce is random, an attacker E can intercept Alice's message which was designated to Bob, and impersonate as Bob by generating a random nonce, without ever communicating with Bob.
So if the request-response protocol is:
A → B : nA
B → A : {nA, nB}K
A → B : nB
with nA,nB being the nonces and K being a symmetric shared key between Alice and Bob.
- Can the attacker do a reflect attack back at Alice by just changing the nonce?
This way A is fooled by thinking B is initiating communication with A and then she would share both their nonces encrypted with the key,
in this case(modifying the 2nd line of the protocol):
B → A : {nA, nE}K
leading to a known-plaintext attack. The attacker has knowledge of both the plaintext and ciphertext in this scenario, so he can derive the secret key.
- Can this flaw in the protocol be fixed by:
- applying k to the nonces?
- including identifier of B (receiver) in the second ciphertext?
Fix Proposal
A → B : {nA}k
B → A : {B, nA}k
A → B : {nB}k