Consider the following protocol, designed to let A and B decide on a fresh, sharedsession key K‘_AB

AB  .We assume that they already share a long-term key K_AB.

1. A→B:A, N_A.

2. B: A→E(K_AB, [NA, K’_AB])

3. A→ B:E(K’_AB, N_A)

a. We first try to understand the protocol designer’s reasoning:

—Why would A and B believe after the protocol ran that they share with the K’_AB other party?

—Why would they believe that this shared key is fresh?In both cases, you should explain both the reasons of both A and B, so youranswer should complete the sentences

A believes that she shares K’_ABwith B since...

B believes that he shares K’_AB with A since...

A believes that K’ _ABis fresh since...

B believes that K’ _ABis fresh since...

b. Assume now that A starts a run of this protocol with B. However, the connectionis intercepted by the adversary C. Show how C can start a new run of the protocolusing reflection, causing A to believe that she has agreed on a fresh key with B (inspite of the fact that she has only been communicating with C).Thus, in particular,the belief in (a) is false.

c. Propose a modification of the protocol that prevents this attack.