|
|
The cr1 scheme is bilateral, which means it authenticates both client and server identities. Generally, it authenticates a connection established by a connection server on the client side and a port monitor on the server. When a cr1 exchange is complete, the client, as well as the server, can be certain of the other party's identity.
cr1 requires a system to store a cryptographic key for every protected system with which it needs to communicate. The key is a bit string known only to the principals in the exchange (the client and server); the string is used to encrypt and decrypt messages passed between the two principals. Typically, when a remote client attempts to access a local service protected by cr1, the cr1 scheme on the server engages the client in a sequence of exchanges involving the shared cryptographic key and one-time challenges. If the remote client responds appropriately to the server's challenge, the server can be certain that the remote client is authorized to access the service. If the server does not engage the client in the exchange, the client can engage the server. If the server responds appropriately to the client's challenge, the client can be certain that it is connecting to the desired server, not an imposter.