Suppose Security(server) is better than Security(client), so only it's possible client private key can be compromised.
2, In MTI/A0 protocol
If it's server-server, it's secure.
but in a situation that it's client-server authentication, the private key of client a is compromised.
Then
- previous communication will not be compromised, suppose the attacker just get eardropping information, because:
a^x, a^y, a are known, but b in server is unknown, so it's not possible we can get the key.
- The attacker cannot fake himself as server.
Because, if the client store server public key a^b, even if the attack can get it, he cannot find b.
And he cannot get session key, because
session k = a^(ya+xb) = (a^y)^a * (a^x)^b
he hasn't got b, so no session key.
That's why it's mutual implicit key authentication. If you steal one private key= ID, you can just fake yourself as his ID and communicate on behalf of him, no the other side.
3, Conclusion, Mutual key authentication is secure, only if
Both private keys are secure, then no fake side;
But even if one key is compromised, no previous session key is compromised.
没有评论:
发表评论