It then checks whether the identity of the CA server in the proxy credential is correct. If not, the master node is not authenticated. Otherwise, the slave node takes the public key MN_Pub of the master node from the proxy credential, and decrypts the message MN_Rand with the key MN_Pub to get the message CA_Rand that is generated by the CA server: