Break an authentication protocol based on a pre-shared symmetric key, with message numbers

Question

Consider the following protocol, meant to authenticate $A$ (Alice) to $B$ (Bob) and vice versa.

$$ \begin{align*} A \to B: &\quad \text{“I'm Alice”}, R_A \\ B \to A: &\quad E(\langle 1, R_A\rangle, K) \\ A \to B: &\quad E(\langle 2, R_A+1, P_A\rangle, K) \\ \end{align*} $$

• $R$ is a random nonce.
• $K$ is a pre-shared symmetric key.
• $P$ is some payload.
• $E(m, K)$ means $m$ encrypted with $K$.
• $\langle m_1, \ldots, m_n\rangle$ means an assemblage of the $m_i$'s that can be decoded unambiguously ($n$ is encoded unambiguously as well).
• We assume that the cryptographic algorithms are secure and implemented correctly.

An attacker (Trudy) wants to convince Bob to accept her payload $P_T$ as coming from Alice (in lieu of $P_A$). Can Trudy thus impersonate Alice? How?

_{This is a follow-up to Break an authentication protocol based on a pre-shared symmetric key.}

Answer 1

(re-post of my comment as an answer)

The only party that generates encryptions of messages $m$ such that $m$:

• contains 3 parts
• begins with a "2"

is Alice. Each time she generates such a chipertext, the last component is $P_A$. If $E$ is a strong enough encryption (non malleable), then Trudy will not be able to generate by herself a an encryption $E(m)$ of a massage in the formt $m=\langle 2,R,P_T \rangle $ that Bob would accept (except with negligible probability).