It is used to authenticate a client to a server using symmetric cryptography.

It is used to establish a shared key between two parties using a trusted party.

It is used to create a public-key infrastructure (i.e., distribute public keys).

It is used to authenticate a client to a server using public-key cryptography.

All messages should be encrypted whenever possible.

Every message should say what it means, its interpretation should only depend on its content.

One should be clear on how the timeliness of messages is proven.

Any implicit assumptions in the protocol should be clearly spelled out.

...establish a shared secret between parties.

...prevent replay attacks by ensuring message freshness.

..encrypt the session key securely.

...ensure the confidentiality of the communication.

... both parties use strong public-key algorithms.

... no short-term session keys are needed.

... even compromising both long-term keys (i.e., from Alice and Bob) does not compromise any short-term session key they previously created using these long-term keys.

... short-term session keys are only compromised if at least one of the long-term keys is compromised.

K_S = K_AB +1

K_S = E(K_AB, N+1)

K_S = E(K_AB + 1, N)

K_S = E(K_AB, N)

Because the protocol used a weak hash (MD) that was easily broken

Because only one principal (Alice) was authenticated, but not the other (Bob)

Because the messages were not explicit enough about the identity of the principal in question

Because nonces were sent in plaintext rather than encrypted

Using timestamps in challenges.

Reusing the same challenge for multiple sessions.

Send every message multiple times and check that the answers match.

Including your identity in the response

... using strong enough cryptographic transformations f(K,N) for the response computations.

... asking both sides to use different keys for authentication.

... requesting the initiator to prove identity first.

... asking both sides to use different challenges.

Confirmation of knowledge without actual disclosure

Create pseudorandom numbers

Derive new key material from existing keys

Encrypt keys for confidential key distribution 

It is more secure

It is faster to compute

It is backwards compatible to SHA-1

It uses the more modern "sponge construction"