--- a/handouts/ho05.tex Wed Oct 29 16:49:00 2014 +0000
+++ b/handouts/ho05.tex Wed Oct 29 17:35:41 2014 +0000
@@ -446,6 +446,55 @@
two different keys. This would have averted this attack and
would have saved me a lot of trouble.
+\subsubsection*{Trusted Third Parties}
+
+One limitation the protocols we discussed so far is
+that they pre-suppose a secret shared key. As already
+mentioned, this is a convenience we cannot always assume.
+How to establish a secret key then? Well, if both parties,
+say $A$ and $B$, mutually trust a third party, say $S$,
+then they can use the following protocol:
+
+\begin{center}
+\begin{tabular}{l@{\hspace{2mm}}l}
+$A \rightarrow S :$ & $A, B$\\
+$S \rightarrow A :$ & $\{K_{AB}\}_{K_{AS}}$ and $\{\{K_{AB}\}_{K_{BS}} \}_{K_{AS}}$\\
+$A \rightarrow B :$ & $\{K_{AB}\}_{K_{BS}}$\\
+$A \rightarrow B :$ & $\{m\}_{K_{AB}}$\\
+\end{tabular}
+\end{center}
+
+\noindent The assumption in this protocol is that $A$ and $S$
+share a secret key, and also $B$ and $S$ ($S$ being the
+trusted third party). The goal is that $A$ can send $B$ a
+message $m$ under a shared secret key $K_{AB}$, which at the
+beginning of the protocol does not exist yet. How does this
+protocol work? In the first step $A$ contacts $S$ and says
+that it wants to talk to $B$. In turn $S$ invents a new key
+$K_{AB}$ and sends two messages back to $A$: one message is
+$\{K_{AB}\}_{K_{AS}}$ which is encrypted with the key $A$ and
+$S$ share, and also the message
+$\{\{K_{AB}\}_{K_{BS}}\}_{K_{AS}}$. which is encrypted with
+$K_{AB}$ but also a second time with $K_{BS}$. The point of
+the second message is that it is a message intended for $B$.
+So a receives both messages and can decrypt them---in the
+first case it obtains the key $K_{AB}$ which $S$ suggested to
+use. In the second case it obtains a message it can forward to
+$B$. $B$ receives this message and since it knows the key it
+shares with $S$ obtains the key $K_{AB}$. Now $A$ and $B$ can
+start to exchange messages with the shared secret key
+$K_{AB}$. What is the advantage of $S$ sending $A$ two
+messages instead of contacting $B$ instead? Well, for one
+there can now be a time-delay between the second and
+third step in the protocol. At some point in the past
+$A$ and $S$ need to have come together to share
+a key, similarly $B$ and $S$. After that $B$ does not need to
+be ``online'' anymore until $A$ actually starts sending messages
+to $B$. $A$ and $S$ can completely on their own negotiate a
+new key.
+
+\subsubsection*{Averting Person-in-the-Middle Attacks}
+
\bigskip\bigskip
Keyfobs - protocol