The initiator is initialized with a pre-shared long-term static key, which is assumed to be pre-authenticated out of band by the responder.
Message A, sent by the initiator, does not benefit from sender authentication and does not provide message integrity. It could have been sent by any party, including an active attacker. Message contents do not benefit from message secrecy even against a purely passive attacker and any forward secrecy is out of the question. 0,0
Message B, sent by the responder, does not benefit from sender authentication and does not provide message integrity. It could have been sent by any party, including an active attacker. Message contents benefit from some message secrecy and some forward secrecy, but not sufficiently to resist any active attacker. 0,1
Message C, sent by the initiator, benefits from sender authentication and is resistant to Key Compromise Impersonation. Assuming the corresponding private keys are secure, this authentication cannot be forged. However, if the initiator carries out a separate session with a separate, compromised responder, this other session can be used to forge the authentication of this message with this session's responder. Message contents benefit from some message secrecy and some forward secrecy, but not sufficiently to resist any active attacker. 2,1
Message D, sent by the responder, does not benefit from sender authentication and does not provide message integrity. It could have been sent by any party, including an active attacker. Message contents benefit from message secrecy and strong forward secrecy: if the ephemeral private keys are secure and the initiator is not being actively impersonated by an active attacker, message contents cannot be decrypted. 0,5
Message E, sent by the initiator, benefits from sender authentication and is resistant to Key Compromise Impersonation. Assuming the corresponding private keys are secure, this authentication cannot be forged. However, if the initiator carries out a separate session with a separate, compromised responder, this other session can be used to forge the authentication of this message with this session's responder. Message contents benefit from some message secrecy and some forward secrecy, but not sufficiently to resist any active attacker. 2,1
Get Model active attacker Get Model passive attacker
Get Implementation written in go Get Implementation written in rust