Let us consider now the following protocol:
Knowledge: A:[s, KAS, A, B], B:[KBS, A, B],
S:[A, B, E, KAS, KBS, KES] E:[A, B, KES, fake]
Steps:
Can you figure out a way for E to know the session secret? Can you figure out a way for B to know "fake"?
The next exercise considers a more complex server key protocol.