Consider the following scenario:
Alice and Bob run BB84 to each other.
Eavesdropper Eve is present in the middle. Here we assume that she has access to all channels: the quantum channel, in the classical control channel (where the BB84 protocol runs), and the classical payload channel (where the encrypted traffic is exchanged).
Let's assume for this scenario that the classical control channel (where the BB84 protocol runs) is NOT authenticated.
The lack of authentication allows Eve to perform a woman-in-the-middle attack as follows:
Eve can negotiate a key with Alice, where Alice thinks she is negotiating a key with Bob.
Eve can negotiate a key with Bob, where Bob thinks he is negotiating a key with Alice.
Eve can decrypt the payload traffic from Alice (using the Alice-Eve key) and re-encrypt it (using the Eve-Bob key) and send it to Bob.
Eve can decrypt the payload traffic from Bob (using the Bob-Eve key) and re-encrypt it (using the Eve-Alice key) and send it to Alice.
In general, the Alice-Eve and the Bob-Eve keys will be different.
My question is: is there any way for Eve to perform a woman-in-the-middle attack and force the Alice-Eve key and the Bob-Eve key to be the same?
