Server Masquerading Attack. In the proposed scheme, a malicious server MS cannot compute the correct M2= h(SK W C1*) because he (or she) does not know S’s private key x. Thereby, MS cannot compute or know C1*, and thus cannot derive the valid IDi. Without knowing Xx’s valid IDi and S’s private key x, MS has to break the secure one-way hash function to retrieve h(IDi). Furthermore, because MS cannot obtain h(IDi), it is impossible to fabricate the proper C1*=h(h(IDi)⊕x) to pass the verification of Ui in Step L2 of the verification phase. Therefore, the proposed scheme is secure against server masquerading attack.
Server Masquerading Attack. The attacker may impersonate himself as GRSj and submits the message R7 towards the
