I am working on the exercise below which ask about whether it is possible to attack the following key exchange protocol on sharing session key $K_s$ between user $X$ and $Y$:
$X \rightarrow Y : X \| r$
$Y \rightarrow X : E (r \| K_s, K_{xy})$
$X \rightarrow Y : E (r, K_s)$
where $K_{xy}$ is a pre-shared secret key between user $X$ and $Y$, $K_s$ is a session key, $E(m, k)$ is symmetric key encryption on message $m$, with key $k$
It appears to me that it is secure. Could any one can give me a hand or some hints on possible attack ?
There are two problems in this protocol.
An attacker can start the protocol instead of $X$ since the id $X$ sent unencrypted and the attacker can generate a random $r$. $Y$ generates the key sends back to $X$. In the first hand, there is no rejection for $Y$
The attacker can store all transmitted $E (r \| K_s, K_{xy})$ and transmitted encrypted messages with $K_{s_i}$for a future usage. When he successfully attacked one of the $X$ and $Y$, he can decrypt all the messages first by decrypting the stored $E (r \| K_s, K_{xy})$. In short, this protocol has no forward secrecy.