This problem appeared in a past exam paper.
In PAKE (password authenticated key exchange) protocols, $A$ and $B$ authenticate each
other by knowledge of a shared password that is too weak to allow an attacker to try out
repeated guesses to try to find it by knowing how a single message of the protocol was
constructed. There is no cryptographic signature or alternative shared secret or trusted
third party they can use. Such a protocol typically works as follows:
• Phase 1: $A$ and $B$ exchange data that they have created for this session and values
they have computed from this and their own assumed value for the password $p_{AB}$.
Note that if they are A and B, they will both know the same $p_{AB}$ but if one or
both of them are spoofing the values they assume will probably be different. From
these computations they both obtain a key $k_A$ or $k_B$, which will be the same if their
password values were the same.
• Phase 2: They compare $k_A$ and $k_B$ by an exchange of messages which allow them
to see if they agree, but do not reveal $k_A$ or $k_B$ to the world, and do not allow either
party to think they agree when they do not.
Why should $A$ not send, as part of this protocol, $hash(p_{AB}, N)$, where $N$ is a nonce known
to $B$ until she is sure that $B$ is not an impostor and actually knows $p_{AB}$? Extend this to
general guidance about what messages of the form hash($X$) should not be sent from $A$ to
$B$ where $X$ involves $p_{AB}$ in its construction.
Now think about implementing Phase 2 only. How could you use hashing to achieve the
objective of Phase 2, in such a way that if $A$ or $B$ has actually been talking to an impostor
with a different password in Phase 1, the impostor cannot manipulate the messages to
make her or him think the protocol has completed successfully.
My attempt:
a) $A$ should not send, $hash(p_{AB}, N)$ as an Impostor $I_B$ can reuse the same nonce and send the $hash(p_{AB}, N)$ back to A, pretending to know the password $p_{AB}$
b) $X$ should not be $p_{AB}$ (on it's own). It should also contains some sort of identification for each user, unique to what the other user sends ie. if Alice sends $hash(X_1)$ and Bob sends $hash(X_2)$, $X_1 \neq X_2$. Is this enough? I can't think of anything else.
c) For implementing phase 2, make Alice send $hash(E_{k_A}(Alice|k_A))$ and Bob send $hash(E_{k_B}(Bob|k_B))$. Where $E_k$ is an encryption function, encrypted using key $k$. Is this correct?