Common use of Forward Secrecy Clause in Contracts

Forward Secrecy. ▇▇▇▇▇ et al. argued that their scheme is secure against various attacks and provides good properties. However, this section shows that ▇▇▇▇▇ et al.’s scheme does not provide forward secrecy, which is necessary property to be supported in the key agreement scheme. We need to have an assumption that attacker could get the system’s long term secret keys KGWN-U and KGWN-S as the normal assumption to the forward secrecy. Also, we need another assumption that attacker also could steal and read the verification table stored in the GWN [19]. For the attack, first of all, an attacker could get { TIDi, IDi, TEi } from the verification table. After that, the attacker could compute TCi’=H(KGWN-U||IDi||TEi) by using the long term secret key KGWN-U and IDi and TEi on the verification table and could derive Ki’=PKSi⊕H(TCi’||TS4), where PKSi and TS4 are from the intercepted message in advance between Ui and GWN. Note that ▇▇’ works as a very important factor for the confidentiality of communication messages. The attacker could derive Kj’=PKSj⊕H(Ki’||TS6), where PKSj and TS6 are from the intercepted message in advance between GWN and Ui. Then, the attacker could derive the session key KEYij’=H(Ki’⊕Kj’) properly. ▇▇▇▇▇▇▇, ▇▇▇▇▇ et al.’s scheme does not provide forward secrecy.

Forward Secrecy. ▇▇▇▇▇ et al. argued that their scheme is secure against various attacks and provides good properties. However, this section shows that ▇▇▇▇▇ et al.’s scheme does not provide forward secrecy, which is necessary property to be supported in the key agreement scheme. We need to have an assumption that attacker could get the system’s long term secret keys KGWN-U and KGWN-S as the normal assumption to the forward secrecy. Also, we need another assumption that attacker also could steal and read the verification table stored in the GWN [19]. For the attack, first of all, an attacker could get { TIDi, IDi, TEi } from the verification table. After that, the attacker could compute TCi’=H(KGWN-U||IDi||TEi) by using the long term secret key KGWN-U and IDi and TEi on the verification table and could derive Ki’=PKSi⊕H(TCi’||TS4Ki’=PKSiH(TCi’||TS4), where PKSi and TS4 are from the intercepted message in advance between Ui and GWN. Note that ▇▇’ works as a very important factor for the confidentiality of communication messages. The attacker could derive Kj’=PKSj⊕H(Ki’||TS6Kj’=PKSjH(Ki’||TS6), where PKSj and TS6 are from the intercepted message in advance between GWN and Ui. Then, the attacker could derive the session key KEYij’=H(Ki’⊕KjKEYij’=H(Ki’Kj’) properly. ▇▇▇▇▇▇▇, ▇▇▇▇▇ et al.’s scheme does not provide forward secrecy.