CS387 Unit 5 is ...
Bellovin & Merritt, 1992
EKE adds authentication to Diffie-Hellman key exchange, thus eliminating the Man-in-the-Middle attack.
EKE assumes we have a password P known to both sides - Client and Server.
Instead of sending (g^xA mod q) like in D-H, we encrypt this value by the password P and add the Client name:
< Alice, Ep(g^xA mod q) >
The server answers, instead of (g^xB mod q), with
Ep(g^xB mod q)
Quiz: Which of these are drawbacks of using EKE?
Answer: Only the second. Even if the attacker tries dictionary attacks, when they use the correct password, they have no means to recognize (g^xA mod q) is the correct message.
To add authentication to the protocol, the servers sends a random challenge r, encoded with the key k = g^xAxB mod q. The server message is:
< Ep(g^xB mod q), Ek(r) >
Alice decrypts the D-H message, (g^xB mod q), and calculates the key k = g^xAxB mod q.
Next she decrypts Ek(r) and so authenticates the Server.
Now to authenticate herself to the server, she proves she decrypted r. She can't send Ek(r) back, because this is what she received, so she concatenates nounce rA to r and sends back:
< Ek(r || rA) >