|
If the server doesn't check that the user's public key is an identity
element O (point at infinity), authentication breaks down.
Because O^x = O, no matter the verification secret, the final result
will be: h(<O, challenge, O, username>). Username is assumed to be
public information in the model, and the challenge is openly sent into
the network. What's supposed to prove authenticity of the client via its
secret key and identity, now becomes a trivial universal backdoor with
the server challenge acting as a direct invitiation.
|
