Paper 1998/009

A Modular Approach to the Design and Analysis of Authentication and Key Exchange Protocols

Mihir Bellare, Ran Canetti, and Hugo Krawczyk


We present a general framework for constructing and analyzing authentication protocols in realistic models of communication networks. This framework provides a sound formalization for the authentication problem and suggests simple and attractive design principles for general authentication and key exchange protocols. The key element in our approach is a modular treatment of the authentication problem in cryptographic protocols; this applies to the definition of security, to the design of the protocols, and to their analysis. In particular, following this modular approach, we show how to systematically transform solutions that work in a model of idealized authenticated communications into solutions that are secure in the realistic setting of communication channels controlled by an active adversary. Using these principles we construct and prove the security of simple and practical authentication and key-exchange protocols. In particular, we provide a security analysis of some well-known key exchange protocols (e.g. authenticated Diffie-Hellman key exchange), and of some of the techniques underlying the design of several authentication protocols that are currently being deployed on a large scale for the Internet Protocol and other applications.

Available format(s)
Publication info
Published elsewhere. Appeared in the THEORY OF CRYPTOGRAPHY LIBRARY and has been included in the ePrint Archive.
Authenticationkey exchangekey distributionDiffie-Hellmansecure computationSKEMEformal analysis.
Contact author(s)
canetti @ watson ibm com
1998-03-13: received
Short URL
Creative Commons Attribution


      author = {Mihir Bellare and Ran Canetti and Hugo Krawczyk},
      title = {A Modular Approach to the Design and Analysis of Authentication and Key Exchange Protocols},
      howpublished = {Cryptology ePrint Archive, Paper 1998/009},
      year = {1998},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.