--- a/handouts/ho05.tex	Wed Oct 29 19:36:15 2014 +0000
+++ b/handouts/ho05.tex	Wed Oct 29 21:58:08 2014 +0000
@@ -458,10 +458,10 @@
 
 \begin{center}
 \begin{tabular}{l@{\hspace{2mm}}l}
-$A \rightarrow S :$ & $A, B$\\
-$S \rightarrow A :$ & $\{K_{AB}\}_{K_{AS}}$ and $\{\{K_{AB}\}_{K_{BS}} \}_{K_{AS}}$\\
-$A \rightarrow B :$ & $\{K_{AB}\}_{K_{BS}}$\\
-$A \rightarrow B :$ & $\{m\}_{K_{AB}}$\\
+$A \to S :$ & $A, B$\\
+$S \to A :$ & $\{K_{AB}\}_{K_{AS}}$ and $\{\{K_{AB}\}_{K_{BS}} \}_{K_{AS}}$\\
+$A \to B :$ & $\{K_{AB}\}_{K_{BS}}$\\
+$A \to B :$ & $\{m\}_{K_{AB}}$\\
 \end{tabular}
 \end{center}
 
@@ -535,23 +535,109 @@
 really the wrong incentive for the certification organisations
 to clean up their mess.
 
-The problem we want to study closer here is that
-public-private key encryption is susceptible to
+The problem we want to study closer here is that protocols
+based on public-private key encryption are susceptible to
 person-in-the-middle attack. Consider the following protocol
-where $A$ and $B$ attempt to exchange secret messages using 
+where $A$ and $B$ attempt to exchange secret messages using
 public-private keys. 
 
 \begin{itemize}
 \item $A$ sends public key  to $B$
 \item $B$ sends public key  to $A$
-\item $A$ sends message encrypted with $B$'s public 
+\item $A$ sends a message encrypted with $B$'s public 
 key,\\ $B$ decrypts it with its private key
-\item $B$ sends message encrypted with $A$'s public 
+\item $B$ sends a message encrypted with $A$'s public 
 key,\\ $A$ decrypts it with its private key
 \end{itemize}
   
+\noindent In our formal notation for protocols, this would
+look as follows:
 
-\bigskip\bigskip Keyfobs - protocol
+\begin{center}
+\begin{tabular}{l@{\hspace{2mm}}l}
+$A \to B :$ & $K^{pub}_A$\smallskip\\
+$B \to A :$ & $K^{pub}_B$\smallskip\\
+$A \to B :$ & $\{A,m\}_{K^{pub}_B}$\smallskip\\
+$B \to A :$ & $\{B,m'\}_{K^{pub}_A}$
+\end{tabular}
+\end{center}
+
+\noindent Since we assume an attacker, say $E$, has complete
+control over the network, $E$ can intercept the first two 
+messages and substitutes her own public key. The protocol
+run would therefore be
+
+\begin{center}
+\begin{tabular}{ll@{\hspace{2mm}}l}
+1) & $A \to E :$ & $K^{pub}_A$\smallskip\\
+2) & $E \to B :$ & $K^{pub}_E$\smallskip\\
+3) & $B \to E :$ & $K^{pub}_B$\smallskip\\
+4) & $E \to A :$ & $K^{pub}_E$\smallskip\\
+5) & $A \to E :$ & $\{A,m\}_{K^{pub}_E}$\smallskip\\
+6) & $E \to B :$ & $\{E,m\}_{K^{pub}_B}$\smallskip\\
+7) & $B \to E :$ & $\{B,m'\}_{K^{pub}_E}$\smallskip\\
+8) & $E \to A :$ & $\{E,m'\}_{K^{pub}_A}$
+\end{tabular}
+\end{center}
+
+\noindent where in steps 6 and 8, $E$ can modify the
+messages by including the $E$ in the message. Both messages
+are received encrypted with $E$'s public key; therefore it
+can decrypt it and repackage it with new content. $A$ and $B$
+have no idea that they talking to an attacker. Because $E$
+can modify messages, it seems very difficult to defend 
+against this attack. 
+
+But there is a clever trick\ldots{}dare I say some magic.
+Modify the protocol above so that $A$ and $B$ send their 
+messages in two halves.
+
+\begin{center}
+\begin{tabular}{ll@{\hspace{2mm}}l}
+1) & $A \to B :$ & $K^{pub}_A$\smallskip\\
+2) & $B \to A :$ & $K^{pub}_B$\smallskip\\
+3) & & $\{A,m\}_{K^{pub}_B} \;\mapsto\; H_1,H_2$\\
+4) & $A \to B :$ & $H_1$\smallskip\\
+5) & $B \to A :$ & $\{H_1\}_{K^{pub}_A}$\smallskip\\
+6) & $A \to B :$ & $H_2$
+\end{tabular}
+\end{center}
+
+\noindent The idea is that in step 3, $A$ encrypts the
+message (with $B$'s public key) and then splits the encrypted
+message into two halves. Say the encrypted message is
+
+\begin{center}
+\texttt{\Grid{0X1peUVTGJK0XI7G+H70mMjAM8piY0sI}}
+\end{center}
+ 
+\noindent then $A$ splits it up into two halves
+
+\begin{center}
+$\underbrace{\texttt{\Grid{0X1peUVTGJK0XI7G}}}_{H_1}$\qquad
+$\underbrace{\texttt{\Grid{+H70mMjAM8piY0sI}}}_{H_2}$
+\end{center}
+
+\noindent sends the first half $H_1$ to $b$. $B$ (and also any
+potential attacker) cannot do much with this half. What $B$ 
+does, it encrypts it with $A$'s public key and sends it back
+to $A$. Now $A$ can decrypt it and if it matches with what it
+had send, it will send $B$ the second half $H_2$. Only after
+$B$ received this second part, it will be able to decrypt the
+entire message $\{A,m\}_{K^{pub}_B}$ and see what $A$ had 
+written.
+
+
+\begin{enumerate}
+\item $C$ generates a random number $r$
+\item $C$ calculates $(F,G) = \{r\}_K$
+\item $C \to T$: $r, F$
+\item $T$ calculates $(F',G') = \{r\}_K$
+\item $T$ checks that $F = F'$
+\item $T \to C$: $r, G'$
+\item $C$ checks that $G = G'$
+\end{enumerate}
+
 
 \subsubsection*{Further Reading}