All messages should be encrypted whenever possible.

Every message should say what it means, its interpretation should only depend on its content.

One should be clear on how the timeliness of messages is proven.

Any implicit assumptions in the protocol should be clearly spelled out.

...establish a shared secret between parties.

...prevent replay attacks by ensuring message freshness.

..encrypt the session key securely.

...ensure the confidentiality of the communication.

... both parties use strong public-key algorithms.

... no short-term session keys are needed.

... even compromising both long-term keys (i.e., from Alice and Bob) does not compromise any short-term session key they previously created using these long-term keys.

... short-term session keys are only compromised if at least one of the long-term keys is compromised.

K_S = K_AB +1

K_S = E(K_AB, N+1)

K_S = E(K_AB + 1, N)

K_S = E(K_AB, N)

Because the protocol used a weak hash (MD) that was easily broken

Because only one principal (Alice) was authenticated, but not the other (Bob)

Because the messages were not explicit enough about the identity of the principal in question

Because nonces were sent in plaintext rather than encrypted

Using timestamps in challenges.

Reusing the same challenge for multiple sessions.

Send every message multiple times and check that the answers match.

Including your identity in the response

... using strong enough cryptographic transformations f(K,N) for the response computations.

... asking both sides to use different keys for authentication.

... requesting the initiator to prove identity first.

... asking both sides to use different challenges.

Confirmation of knowledge without actual disclosure

Create pseudorandom numbers

Derive new key material from existing keys

Encrypt keys for confidential key distribution 

It is more secure

It is faster to compute

It is backwards compatible to SHA-1

It uses the more modern "sponge construction"

collision resistance, non-reversability, pseudorandomness

weak pre-image resistance, strong pre-image resistance, collision resistance 

first pre-image resistance, second pre-image resistance, collision resistance

pre-image resistance, first collision resistance, second collision resistance