Abstract
We discuss two-party mutual authentication protocols providing authenticated key exchange, focusing on those using asymmetric techniques. A simple, efficient protocol referred to as the station-to-station (STS) protocol is introduced, examined in detail, and considered in relation to existing protocols. The definition of a secure protocol is considered, and desirable characteristics of secure protocols are discussed.
Similar content being viewed by others
References
Information Technology—Security Techniques. Entity Authentication Mechanisms — Part 3: Entity Authentication Using a Public-Key Algorithm (CD 9798-3), Nov. 199 (ISO/IEC JTCI/SC27 Committee Draft #4).
Bauspiess, F. and Knobloch, H.-J. 1990. How to keep authenticity alive in a computer network. Advances in Cryptology — Eurocrypt 89, (J.J. Quisquater and J. Vandewalle, eds.) Lecture Notes in Computer Science 434: 38–46, Berlin/New York: Springer-Verlag.
Bellovin, S.M. and Merritt, M. 1990. Limitations of the Kerberos authentication system. ACM Computer Communication Review 20 (5):119–132.
Bengio, S., Brassard, G., Desmedt, Y.G., Coutier, C., Quisquater, J.-J. 1991. Secure implementation of identification system. J. Cryptology 4 (3):175–183.
Bird, R., Gopal, I., Herzberg, A., Janson, P., Kutten, S., Molva, R., and Yung, M. Forthcoming. Systematic design of two-party authentication protocols. Advances in Cryptology—Crypto '91, Berlin/New York: Springer-Verlag.
Brassard, G. 1988. Modern Cryptology, Lecture Notes in Computer Science 325. Berlin/New York: Springer-Verlag.
Burrows, M., Abadi, M., and Needham, R. 1990. A logic of authentication. ACM Transactions on Computer Systems 8 (1):18–36.
Denning, D.E. and Sacco, G.M. 1981. Timestamps in key distribution protocols. Comm. ACM 24 (8):533–536.
Diffie, W. and Hellman, M.E. 1976. New directions in cryptography. IEEE Trans. Info. Theory IT-22 (6):644–654.
(proposed U.S. FIPS) Digital Signature Standard (DSS), announced in Federal Register, vol. 56, no. 169 (Aug. 30, 1991), 42980–42982.
ElGamal, T. 1988. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Info. Theory IT-31 (4):469–472.
Fiat, A. and Shamir, A. 1987. How to prove yourself: practical solutions to identification and signature problems. Advances in Cryptology—Crypto 86. (A. Odlyzko, ec.), Lecture Notes in Computer Science 263:196–194, Berlin/New York: Springer-Verlag.
Gaarder, K. and Snekkenes, E. 1991. Applying a formal analysis technique to CCITT X.509 strong two-way authentication protocol. J. Cryptology 3 (2):81–98.
Guillou, L.C. and Quisquater, J.-J. 1988. A practical zero-knowledge protocol fitted to security microprocessing minimizing both transmission and memory. Advances in Cryptology—Eurocrypt '88, C.G. Günther, (ed.), Lecture Notes in Computer Science 330:123–128, Berlin/New York: Springer-Verlag.
Günther, C.G. 1990. An identity-based key-exchange protocol. Advances in Cryptology—Eurocrypt 89, (J.-J. Quisquater and J. Vandewalle, eds.), Lecture Notes in Computer Science 434:29–37, Berlin/New York: Springer-Verlag.
Haber, S. and Stornetta, W.S. 1991. How to time-stamp a digital document. J. Cryptology 3 (2):99–111.
I'Anson, C. and Michell, C. 1990. Security defects in CCITT Recommendation X.509—The Directory Authentication Framework. Computer Communication Review 20 (2):30–34.
Kohl, J. and Neuman, B.C. 1991. The Kerberos network authentication service. MIT Project Athena Version 5.
Mitchell, C. 1989. Limitations of challenge-response entity authentication. Electronic Letters 25 (17):195–196.
Moore, J.H. 1988. Protocol failures in cryptosystems. Proc. of the IEEE 76 (5):594–602.
O'Higgins, B., Diffie, W., Strawczynski, L. and de Hoog, R. 1987. Encryption and ISDN—A Natural fit. In Proc. 1987 International Switching Symposium, Pheonix Arizona, pp. A1141-7.
Okamoto, E. and Tanaka, K. 1989. Key distribution system based on identification information. IEEE J. Selected Areas in Comm. 7 (4):481–485.
Odlyzko, A.M. 1985. Discrete logarithms in finite fields and their cryptographic significance. Advances in Cryptology—Eurocrypt 84, (T. Beth, N. Cot and I. Ingemarsson, eds.), Lecture Notes in Computer Science 209:224–314, Berlin,/New York: Springer-Verlag.
LaMacchia, B.A. and Odlyzko, A.M. 1991. Computation of discrete logarithms in prime fields. Designs, Codes and Cryptography I (1):47–62.
Pohlig, S.C. and Hellman, M. 1978. An improved algorithm for computing logarithms over GF(p) and its cryptographic significance. IEEE Transactions on Information Theory IT-24:106–110.
Rivest, R.L. Shamir, A. and Adleman, L. 1978. A method for obtaining digital signatures and public-key cryptosystems. Comm. ACM 21:120–126.
Rivest, R.L. and Shamir, A. 1984. How to expose an eavesdropper. Comm. ACM 27 (4):393–395.
Schnorr, C.P. 1990, 1991. Efficient signature generation by smart cards. J. Cryptology 4 (3):161–174; see also: Efficient identification and signatures for smart cards. Advances in Cryptology—Crypto 89, (G. Brassard, ed.), Lecture Notes in Computer Science 435:239–251, Berlin/New York: Springer-Verlag.
Shamir, A. 1985. Identity-based cryptosystems and signature schemes. Advances in Cryptology—Crypto 84, (G.R. Blakley and D. Chaum, ed.), Lecture Notes in Computer Science 196:47–53, Berlin/New York: Springer-Verlag.
CCITT Blue Book Recommendation X.509, The Directory-Authentication Framework. 1988. Geneva, March 1988; amended by resolution of Defect 9594/016 (1Q 1991). Also ISO 9594-8.
Author information
Authors and Affiliations
Additional information
Communicated by S.A. Vanstone
This work was done while Whitfield Diffie was with Northern Telecom, Mountain View, California.
Rights and permissions
About this article
Cite this article
Diffie, W., Van Oorschot, P.C. & Wiener, M.J. Authentication and authenticated key exchanges. Des Codes Crypt 2, 107–125 (1992). https://doi.org/10.1007/BF00124891
Received:
Revised:
Issue Date:
DOI: https://doi.org/10.1007/BF00124891