Ql. Consider the following protocol for session key distribution for AES. Alice and Bob would like to establish a session key k with 128 bits for AES. They carry out the following protocol, where ED denotes the bitwise exclusive-or operation. Step 1: Alice generates two binary string k and N1 of 128 bits ani then sends k1 := k ED N1 to Bob using a public communication channel. Step 2: After receiving k1, Bob generates a binary string N2 of 128 bits, and com-putes k2 := k1® N2, and then sends k2 to Alice using the same communication channel. Step 3: After receiving k2, Alice commutes k3 := N1® k2 and sends it to Bob. Step 4: After receiving k3, Bob computes k3 ED N2 = k. In this way, Bob will recover k. Hence Alice and Bob can establish a session key k for AES after Step 4. Is this protocol secure with respect to passive attacks. Justify your answer briefly. [In any passive attack, we assume that the adversary can only intercept messages exchanged via this communication channnel, but cannot modify messages or insert his/her messages into the communication channel.]
16 marks