Systematic 0esign of a Family ofAttack-Resistant Authentication Protocols September 1992 R. Bird I. Gopal A. Herzberg P. Janson S. Kutten R. Molva M. Yung IBM Raleigh, Watson & Zurich Laboratories Systematic 0esign of a Family of Attack-ResistantAuthentication Protocols R. Bird1 I. Gopal2 A. Herzberg2 P. Janson3 S. Kutten2 R. Molva4 M. Yung2 Abstract The extensive use of open networks and distributed systems poses serious threats to the security of end-to-end communications and network components themselves. A necessary foundation for securing a network is the ability to reliably authenticate communication partners and other network entities. ne-way, password-based authentication techniques are not sufficient to cope with the issues athand. Modem designed rely on two-way, cryptographic authentication protocols. However, most existing designs suffer from one or more limitations: they require syncronization of local clocks,they are subject to export restrictions because of the way they use cryptographic functions, they are not amenale to use in lower layers of network protocols becausw of the siz ans complexity of messages they use, etc. Oesigning suitale cryptographic protocols that ater to large and dynamic network communities but do not suffer fro m the above problems presents substatial challemges in terms of ease of use, efficiency, flexability, and above all security. This paper discusses the above challenges, shows a few simple protocols, including ine proposed by IS, can easily be broken, and drives a sderies of desirablr properties that authentication protocols should exhibit to meet the erquirements of future large and dynamic network communities. The the paper describes a methodology that was developed to systemtically build and test the security of a family of cryptographic two-way authentication protocols that are as simple as possible yet resistant to a wide class of attacks, efficient, easy to implement and use, and amenable to many different networking environments. It also discuses several concrete examples of protocols of that family that present various advantages in specific distributed sstem scenarios.