Bob can send a valid response to alice without knowing K by communication with Charlie who has a valid K.
1: Alice > Bob: n
2: Bob > Charlie: n <-- reflection attack
3: Charlie > Bob: E(K, n) <-- bob receives the correct response to Alice's challenge
4: Bob > Alice: E(K, n) <-- and authenticates himself to Alice
a challenge generated by server prevents from replay attack, impersonating a legitimate client.
a token should be chosen by a random process (usually, pseudorandom processes are used). Otherwise Eve may be able to pose as Bob, presenting some predicted future token, and convince Alice to use that token in her transformation.
Eve can then replay her reply at a later time (when the previously predicted token is actually presented by Bob), and Bob will accept the authentication.