The following is a real-world problem.
In a standardized protocol clients can connect to a server using mutual 4-pass authentication on an otherwise unsecured TCP channel:
- pass-1: Client send random Challenge C to server
- pass-2: Server answers by sending random challenge S to client
- pass-3: Client prepares res(S, K) and send it to S
- pass-4: Server answers to client with res(C, K)
res(.) is GCM-GMAC tag that depends on a symmetric key K (in fact AES128, but this might not be relevant here)
Once mutual authentication is successful, client and server can continue to communicate under a so called "association", e.g. client can request some data from server.
However, what happens if an attacker (not having the key) is listening on the network and starts a man-in-the-middle as well as a malicious client (red).
When the real client starts pass-1 and sends C1 to server, at the same time the bad client sends C2. The server responds to both requests, but MitM manages to inject S2 to be sent to the good client, which prepares res(S2) and send it over to the server. But MitM captures res(S2) and inject it as pass-3 to be sent to the server. Now the server authenticates the bad client and sends back res(C2), which is just ignored by the bad-client. So a seemingly mutually authenticated connection has been established between the bad client and server.
I wonder, whether this kind of mutual authentication is really effective.