Designs, Codes and Cryptography

, Volume 2, Issue 2, pp 107–125 | Cite as

Authentication and authenticated key exchanges

  • Whitfield Diffie
  • Paul C. Van Oorschot
  • Michael J. Wiener


We discuss two-party mutual authentication protocols providing authenticated key exchange, focusing on those using asymmetric techniques. A simple, efficient protocol referred to as the station-to-station (STS) protocol is introduced, examined in detail, and considered in relation to existing protocols. The definition of a secure protocol is considered, and desirable characteristics of secure protocols are discussed.


Data Structure Information Theory Discrete Geometry Desirable Characteristic Authentication Protocol 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Information Technology—Security Techniques. Entity Authentication Mechanisms — Part 3: Entity Authentication Using a Public-Key Algorithm (CD 9798-3), Nov. 199 (ISO/IEC JTCI/SC27 Committee Draft #4).Google Scholar
  2. 2.
    Bauspiess, F. and Knobloch, H.-J. 1990. How to keep authenticity alive in a computer network. Advances in Cryptology — Eurocrypt 89, (J.J. Quisquater and J. Vandewalle, eds.) Lecture Notes in Computer Science 434: 38–46, Berlin/New York: Springer-Verlag.Google Scholar
  3. 3.
    Bellovin, S.M. and Merritt, M. 1990. Limitations of the Kerberos authentication system. ACM Computer Communication Review 20 (5):119–132.Google Scholar
  4. 4.
    Bengio, S., Brassard, G., Desmedt, Y.G., Coutier, C., Quisquater, J.-J. 1991. Secure implementation of identification system. J. Cryptology 4 (3):175–183.Google Scholar
  5. 5.
    Bird, R., Gopal, I., Herzberg, A., Janson, P., Kutten, S., Molva, R., and Yung, M. Forthcoming. Systematic design of two-party authentication protocols. Advances in Cryptology—Crypto '91, Berlin/New York: Springer-Verlag.Google Scholar
  6. 6.
    Brassard, G. 1988. Modern Cryptology, Lecture Notes in Computer Science 325. Berlin/New York: Springer-Verlag.Google Scholar
  7. 7.
    Burrows, M., Abadi, M., and Needham, R. 1990. A logic of authentication. ACM Transactions on Computer Systems 8 (1):18–36.Google Scholar
  8. 8.
    Denning, D.E. and Sacco, G.M. 1981. Timestamps in key distribution protocols. Comm. ACM 24 (8):533–536.Google Scholar
  9. 9.
    Diffie, W. and Hellman, M.E. 1976. New directions in cryptography. IEEE Trans. Info. Theory IT-22 (6):644–654.Google Scholar
  10. 10.
    (proposed U.S. FIPS) Digital Signature Standard (DSS), announced in Federal Register, vol. 56, no. 169 (Aug. 30, 1991), 42980–42982.Google Scholar
  11. 11.
    ElGamal, T. 1988. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Info. Theory IT-31 (4):469–472.Google Scholar
  12. 12.
    Fiat, A. and Shamir, A. 1987. How to prove yourself: practical solutions to identification and signature problems. Advances in Cryptology—Crypto 86. (A. Odlyzko, ec.), Lecture Notes in Computer Science 263:196–194, Berlin/New York: Springer-Verlag.Google Scholar
  13. 13.
    Gaarder, K. and Snekkenes, E. 1991. Applying a formal analysis technique to CCITT X.509 strong two-way authentication protocol. J. Cryptology 3 (2):81–98.Google Scholar
  14. 14.
    Guillou, L.C. and Quisquater, J.-J. 1988. A practical zero-knowledge protocol fitted to security microprocessing minimizing both transmission and memory. Advances in Cryptology—Eurocrypt '88, C.G. Günther, (ed.), Lecture Notes in Computer Science 330:123–128, Berlin/New York: Springer-Verlag.Google Scholar
  15. 15.
    Günther, C.G. 1990. An identity-based key-exchange protocol. Advances in Cryptology—Eurocrypt 89, (J.-J. Quisquater and J. Vandewalle, eds.), Lecture Notes in Computer Science 434:29–37, Berlin/New York: Springer-Verlag.Google Scholar
  16. 16.
    Haber, S. and Stornetta, W.S. 1991. How to time-stamp a digital document. J. Cryptology 3 (2):99–111.Google Scholar
  17. 17.
    I'Anson, C. and Michell, C. 1990. Security defects in CCITT Recommendation X.509—The Directory Authentication Framework. Computer Communication Review 20 (2):30–34.Google Scholar
  18. 18.
    Kohl, J. and Neuman, B.C. 1991. The Kerberos network authentication service. MIT Project Athena Version 5.Google Scholar
  19. 19.
    Mitchell, C. 1989. Limitations of challenge-response entity authentication. Electronic Letters 25 (17):195–196.Google Scholar
  20. 20.
    Moore, J.H. 1988. Protocol failures in cryptosystems. Proc. of the IEEE 76 (5):594–602.Google Scholar
  21. 21.
    O'Higgins, B., Diffie, W., Strawczynski, L. and de Hoog, R. 1987. Encryption and ISDN—A Natural fit. In Proc. 1987 International Switching Symposium, Pheonix Arizona, pp. A1141-7.Google Scholar
  22. 22.
    Okamoto, E. and Tanaka, K. 1989. Key distribution system based on identification information. IEEE J. Selected Areas in Comm. 7 (4):481–485.Google Scholar
  23. 23.
    Odlyzko, A.M. 1985. Discrete logarithms in finite fields and their cryptographic significance. Advances in Cryptology—Eurocrypt 84, (T. Beth, N. Cot and I. Ingemarsson, eds.), Lecture Notes in Computer Science 209:224–314, Berlin,/New York: Springer-Verlag.Google Scholar
  24. 24.
    LaMacchia, B.A. and Odlyzko, A.M. 1991. Computation of discrete logarithms in prime fields. Designs, Codes and Cryptography I (1):47–62.Google Scholar
  25. 25.
    Pohlig, S.C. and Hellman, M. 1978. An improved algorithm for computing logarithms over GF(p) and its cryptographic significance. IEEE Transactions on Information Theory IT-24:106–110.Google Scholar
  26. 26.
    Rivest, R.L. Shamir, A. and Adleman, L. 1978. A method for obtaining digital signatures and public-key cryptosystems. Comm. ACM 21:120–126.Google Scholar
  27. 27.
    Rivest, R.L. and Shamir, A. 1984. How to expose an eavesdropper. Comm. ACM 27 (4):393–395.Google Scholar
  28. 28.
    Schnorr, C.P. 1990, 1991. Efficient signature generation by smart cards. J. Cryptology 4 (3):161–174; see also: Efficient identification and signatures for smart cards. Advances in Cryptology—Crypto 89, (G. Brassard, ed.), Lecture Notes in Computer Science 435:239–251, Berlin/New York: Springer-Verlag.Google Scholar
  29. 29.
    Shamir, A. 1985. Identity-based cryptosystems and signature schemes. Advances in Cryptology—Crypto 84, (G.R. Blakley and D. Chaum, ed.), Lecture Notes in Computer Science 196:47–53, Berlin/New York: Springer-Verlag.Google Scholar
  30. 30.
    CCITT Blue Book Recommendation X.509, The Directory-Authentication Framework. 1988. Geneva, March 1988; amended by resolution of Defect 9594/016 (1Q 1991). Also ISO 9594-8.Google Scholar

Copyright information

© Kluwer Academic Publishers 1992

Authors and Affiliations

  • Whitfield Diffie
    • 1
  • Paul C. Van Oorschot
    • 2
  • Michael J. Wiener
    • 2
  1. 1.Sun MicrosystemsMountain ViewUSA
  2. 2.Bell-Northern ResearchOttawaCanada

Personalised recommendations