Cryptographic properties Key confirmation In both variants via MAC on exchanged data (and counter in 1-pass) Replay protection In 4- and 2-pass through inclusion of client-provided data in MAC Suggested method for 1-pass based on counter Server authentication In all variants through MAC in ServerFinished message when replacing existing key Protection against MITM In both variants through use of shared keys, client certificates, or server public key usage User authentication Enabled in 4- and 2-pass variants using activation code Alternative methods rely on draft-doherty-keyprov-ct-kip-ws-00 Device authentication In 4- and 2-pass variants if based on shared secret key or if device sends a client certificate Alternative methods rely on draft-doherty-keyprov-ct-kip-ws-00 |