This Article 
 Bibliographic References 
 Add to: 
Prudent Engineering Practice for Cryptographic Protocols
January 1996 (vol. 22 no. 1)
pp. 6-15

Abstract—We present principles for designing cryptographic protocols. The principles are neither necessary nor sufficient for correctness. They are however helpful, in that adherence to them would have prevented a number of published errors.

Our principles are informal guidelines; they complement formal methods, but do not assume them. In order to demonstrate the actual applicability of these guidelines, we discuss some instructive examples from the literature.

[1] M. Abadi,M. Burrows,B.W. Lampson, and G. Plotkin,"A calculus for access control in distributed systems," ACM Trans. Programming Languages and Systems, vol. 15, no. 4, pp. 706-734, Sept. 1993.
[2] S.M. Bellovin and M. Merritt, "Limitations of the Kerberos authentication system," Computer Comm. Review, vol. 20, no. 5, pp. 119-132, Oct. 1990.
[3] C. Boyd and W. Mao, "On a limitation of BAN logic," Proc. Advances in Cryptology: Eurocrypt '93, pp. 240-247, Springer-Verlag, 1993.
[4] M. Burrows, M. Abadi, and R.M. Needham, "A logic of authentication," Proc. Royal Soc. London A, vol. 426, pp. 233-271, 1989. A preliminary version appeared as Digital Equipment Corporation Systems Research Center report no. 39, Feb. 1989.
[5] CCITT. CCITT Blue Book, Recommendation X.509 and ISO 9594-8: The Directory-Authentication Framework. Geneva, Mar. 1988.
[6] D.E. Denning and G.M. Sacco, "Timestamps in key distribution protocols," CACM, vol. 24, no. 8, pp. 533-536, Aug. 1981.
[7] U. Feige, A. Fiat, and A. Shamir, "Zero knowledge proofs of identity," Proc. 19th Ann. ACM Symp. Theory of Computing, pp. 210-217, 1987.
[8] L. Gong, "A security risk of depending on synchronized clocks," Operating Systems Review, vol. 26, no. 1, pp. 49-54, Jan. 1992.
[9] N. Heintze and J.D. Tygar, "Timed models for protocol security," CMU Technical Report CMU-CS-92-100, Jan. 1992.
[10] K.E.B. Hickman and T. Elgamal, "The SSL Protocol," Internet Draft, Netscape Communications Corp., version of June 1995. Currently available from
[11] K.E.B. Hickman, "The SSL protocol," RFC, Netscape Communications Corp., version of Oct.31, 1994.
[12] B. Lampson et al., "Authentication in Distributed Systems: Theory and Practice," ACM Trans. Computer Systems, Nov. 1992, pp. 265-310.
[13] A. Liebl., "Authentication in distributed systems: A bibliography," Operating Systems Review, vol. 27, no. 4, pp. 31-41, Oct. 1993.
[14] W.P. Lu and M.K. Sundareshan, "Secure communication in internet environments: A hierarchical key management scheme for end-to-end encryption," IEEE Trans. Comm., vol. 37, no. 10, pp. 1,014-1,023, Oct. 1989.
[15] W.P. Lu and M.K. Sundareshan, "Enhanced protocols for hierarchical encryption key management for secure communication in internet environments," IEEE Trans. Comm., vol. 40, no. 4, pp. 658-660, Apr. 1992.
[16] W. Mao and C. Boyd, "Towards formal analysis of security protocols," Proc. Computer Security Foundations Workshop VII, pp. 147-158, 1993.
[17] G. Medvinsky and B.C. Neuman, "NetCash: A design for practical electronic currency on the internet," Proc. 1993 ACM Conf. Computer and Comm. Security, pp. 102-106.
[18] S.P. Miller, B.C. Neuman, J.I. Schiller, and J.H. Saltzer, "Kerberos authentication and authorization system," Project Athena Technical Plan, Section E.2.1, MIT, July 1987.
[19] J.H. Moore, "Protocol failures in cryptosystems," Proc. IEEE, vol. 76, no. 5, pp. 594-602, May 1988.
[20] National Bureau of Standards, "Data encryption standard," FIPS Pub. 46, Jan. 1977.
[21] R.M. Needham, "Cryptography and secure channels," Distributed Systems, 2nd edition, S. Mullender, ed., pp. 231-241. ACM Press, 1993.
[22] R.M. Needham and M.D. Schroeder, "Using Encryption for Authentication in Large Networks of Computers," Comm. ACM, vol. 21, no. 12, pp. 993-999, Dec. 1978
[23] R.M. Needham and M.D. Schroeder, "Authentication revisited," Operating Systems Review, vol. 21, no. 1, p. 7, Jan. 1987.
[24] B.C. Neuman and S.G. Stubblebine, "A note on the use of timestamps as nonces," Operating Systems Review, vol. 27, no. 2, pp. 10-14, Apr. 1993.
[25] D. Otway and O. Rees, "Efficient and timely mutual authentication," Operating Systems Review, vol. 21, no. 1, pp. 8-10, Jan. 1987.
[26] M.K. Reiter, "A security architecture for fault-tolerant systems," PhD Thesis, Cornell Univ., available as Technical Report 93-1367, Dept. of Computer Science, Cornell Univ., July 1993.
[27] R. Rivest, "The MD4 message digest algorithm," Proc. Advances in Cryptology: Crypto '90, pp. 303-311, Springer-Verlag, 1991.
[28] R.L. Rivest,A. Shamir, and L.A. Adleman,"A Method for Obtaining Digital Signatures and Public Key Cryptosystems," Comm. ACM, vol. 21, pp. 120-126, 1978.
[29] E. Snekkenes, "Roles in cryptographic protocols," Proc. 1992 IEEE Symp. Security and Privacy, pp. 105-119.
[30] P. Syverson, "On key distribution protocols for repeated authentication," Operating Systems Review, vol. 27, no. 4, pp. 24-30, Oct. 1993.
[31] V. Varadharajan, P. Allen, and S. Black, "An analysis of the proxy problem in distributed systems," Proc. 1991 IEEE Symp. Security and Privacy, pp. 255-275.
[32] V.L. Voydock and S.T. Kent, "Security mechanisms in high-level network protocols," Computing Surveys, vol. 15, no. 2, pp. 135-171, 1983.
[33] E. Wobber, M. Abadi, M. Burrows, and B. Lampson, "Authentication in the Taos operating system," ACM Trans. Computer Systems, vol. 12, no. 1, pp. 3-32, Feb. 1994.
[34] T.Y.C. Woo and S.S. Lam, "Authentication for distributed systems," Computer, vol. 25, no. 1, pp. 39-52, Jan. 1992.
[35] T.Y.C. Woo and S.S. Lam,., "A lesson on authentication protocol design," Operating Systems Review, vol. 28, no. 3, pp.24-37, July 1994.
[36] R. Yahalom, B. Klein, and T. Beth, "Trust Relationships in Secure Systems—A Distributed Authentication Perspective," Proc. 1993 IEEE Symp. Research in Security and Privacy, pp. 150-164, May 1993.

Index Terms:
Cryptography, authentication, cryptographic protocols, authentication protocols, security.
MartÍn Abadi, Roger Needham, "Prudent Engineering Practice for Cryptographic Protocols," IEEE Transactions on Software Engineering, vol. 22, no. 1, pp. 6-15, Jan. 1996, doi:10.1109/32.481513
Usage of this product signifies your acceptance of the Terms of Use.