Security in CK model. In the CK security model, a secure session reveal on the SM and SP, i.e., SSReveal(SM) and SSReveal(SP), is possible. We can assume the leakage of r1 + dA as it represents a local session state at the side of the SM. It is a local variable needed to be stored in order to be reused after reception of MSG2. Similarly, we can assume r2 + hdB as a local session state at the side of the SP. Again, this variable needs to be stored as it is used two times in the calculations of the SP. Since, SK = H4(g(r1 +dA )(r2 +hdB )), thus only depends on these two local session states, the session key can be retrieved and the scheme turns out to be vulnerable under the CK security model.
Appears in 4 contracts
Samples: pdfs.semanticscholar.org, res.mdpi.com, research-repository.griffith.edu.au
