Hello all,

I have this question, hope to get some guidance...

Fora simple password-based challenge-response protocol between a user A
and a server S, where Pa is A's password, n is a random nonce generated
by the server, and h is a known cryptographic hash function.

1. S -> A: E(Pa,n)
2. A -> S: E(Pa,h(n))

How to show that this protocol is vulnerable to an off-line password
guessing attack? and how would the attack take place ?. Under which
circumstances would the vulnerability not be a problem?

any references and views are appreciated-----
thanks again....!merry christmas !!!