M. Abadi and R. M. Needham. Prudent engineering practice for cryptographic protocols. IEEE Trans.
Software Eng., 22(1):6–15, 1996. See also (same authors and title): IEEE Symp. Security and Privacy,
page 122–136, 1994.
M. Abdalla, F. Benhamouda, and P. MacKenzie. Security of the J-PAKE password-authenticated key
exchange protocol. In IEEE Symp. Security and Privacy, pages 571–587, 2015.
R. J. Anderson and R. M. Needham. Programming Satan’s Computer. In Computer Science Today:
Recent Trends and Developments, pages 426–440. 1995. Springer LNCS 1000.
R. J. Anderson and R. M. Needham. Robustness principles for public key protocols. In CRYPTO, pages
R. J. Anderson and S. Vaudenay. Minding your p’s and q’s. In ASIACRYPT, pages 26–35, 1996..
S. M. Bellovin and M. Merritt. Encrypted key exchange: Password-based protocols secure against
dictionary attacks. In IEEE Symp. Security and Privacy, pages 72–84, 1992.
S. M. Bellovin and M. Merritt. Augmented encrypted key exchange: A password-based protocol secure
against dictionary attacks and password file compromise. In ACM Comp. & Comm. Security (CCS),
pages 244–250, 1993.
R. Bird, I. S. Gopal, A. Herzberg, P. A. Janson, S. Kutten, R. Molva, and M. Yung. Systematic design
of two-party authentication protocols. In CRYPTO, pages 44–61, 1991.
C. Boyd and A. Mathuria. Protocols for Authentication and Key Establishment. Springer, 2003. Also
second edition (2019) with Douglas Stebila.
W. E. Burr, D. F. Dodson, E. M. Newton, R. A. Perlner, W. T. Polk, S. Gupta, and E. A. Nabbus. NIST
Special Pub 800-63-1: Electronic Authentication Guideline. U.S. Dept. of Commerce. Dec 2011 (121
pages), supersedes ; superseded by SP 800-63-2, Aug 2013 (123 pages), itself superseded by .
W. E. Burr, D. F. Dodson, and W. T. Polk. NIST Special Pub 800-63: Electronic Authentication
Guideline. U.S. Dept. of Commerce. Ver. 1.0, Jun 2004 (53 pages), including Appendix A: Estimating
Password Entropy and Strength (8 pages). Superseded by .
M. Burrows, M. Abadi, and R. M. Needham. A logic of authentication. ACM Trans. Comput. Syst.,
8(1):18–36, 1990. See also (same authors and title) ACM SOSP, pages 1–13, 1989.
S. Chiasson, P. C. van Oorschot, and R. Biddle. A usability study and critique of two password managers.
In USENIX Security, 2006.
W. Diffie, P. C. van Oorschot, and M. J. Wiener. Authentication and authenticated key exchanges.
Designs, Codes and Cryptography, 2(2):107–125, 1992.
N. Ferguson and B. Schneier. Practical Cryptography. Wiley, 2003.
J. Fried, P. Gaudry, N. Heninger, and E. Thom´e. A kilobit hidden SNFS discrete logarithm computation.
In EUROCRYPT, pages 202–231, 2017.
K. Gaarder and E. Snekkenes. Applying a formal analysis technique to the CCITT X.509 strong twoway
authentication protocol. Journal of Cryptology, 3(2):81–98, 1991.
D. Gillmor. RFC 7919: Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport
Layer Security (TLS), Aug. 2016. Proposed Standard.
L. Gong, T. M. A. Lomas, R. M. Needham, and J. H. Saltzer. Protecting poorly chosen secrets from
guessing attacks. IEEE J. Selected Areas in Commns, 11(5):648–656, 1993.
P. A. Grassi et al. NIST Special Pub 800-63-3: Digital Identity Guidelines. U.S. Dept. of Commerce.
Jun 2017, supersedes . Additional parts SP 800-63A: Enrollment and Identity Proofing, SP 800-
63B: Authentication and Lifecycle Management, SP 800-63C: Federation and Assertions.
F. Hao. RFC 8236: J-PAKE—Password-Authenticated Key Exchange by Juggling, Sept. 2017. Informational.
F. Hao and P. Ryan. Password authenticated key exchange by juggling. In 2008 Security Protocols
Workshop, pages 159–171. Springer LNCS 6615 (2011).
F. Hao and P. Ryan. J-PAKE: Authenticated key exchange without PKI. Trans. Computational Science,
11:192–206, 2010. Springer LNCS 6480.
F. Hao and S. F. Shahandashti. The SPEKE protocol revisited. In Security Standardisation Research
(SSR), pages 26–38, 2014. Springer LNCS 8893. See also: IEEE TIFS, 2018, “Analyzing and patching
SPEKE in ISO/IEC”
D. P. Jablon. Strong password-only authenticated key exchange. Computer Communication Review,
D. P. Jablon. Extended password key exchange protocols immune to dictionary attacks. In Workshop on
Enabling Technologies/Infrastructure for Collaborative Enterprises (WET-ICE), pages 248–255, 1997.
C. Kaufman, R. Perlman, and M. Speciner. Network Security: Private Communications in a Public
World (2nd edition). Prentice Hall, 2003.
A. Kumar, N. Saxena, G. Tsudik, and E. Uzun. Caveat emptor: A comparative study of secure device
pairing methods. In IEEE Pervasive Computing and Comm. (PerCom 2009), pages 1–10, 2009.
L. Law, A. Menezes, M. Qu, J. A. Solinas, and S. A. Vanstone. An efficient protocol for authenticated
key agreement. Designs, Codes and Cryptography, 28(2):119–134, 2003.
C. H. Lim and P. J. Lee. A key recovery attack on discrete log-based schemes using a prime order
subgroup. In CRYPTO, pages 249–263, 1997.
S. Lucks. Open Key Exchange: How to defeat dictionary attacks without encrypting public keys. In
Security Protocols Workshop, pages 79–90, 1997.
P. D. MacKenzie, S. Patel, and R. Swaminathan. Password-authenticated key exchange based on RSA.
In ASIACRYPT, pages 599–613, 2000.
C. Mainka, V. Mladenov, J. Schwenk, and T. Wich. SoK: Single sign-on security—An evaluation of
OpenID Connect. In IEEE Eur. Symp. Security & Privacy, pages 251–266, 2017.
A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of Applied Cryptography. CRC
Press, 1996. Openly available, http://cacr.uwaterloo.ca/hac/.
R. M. Needham and M. D. Schroeder. Using encryption for authentication in large networks of computers.
Comm. ACM, 21(12):993–999, 1978.
B. C. Neuman and T. Ts’o. Kerberos: An authentication service for computer networks. IEEE Communications
Magazine, pages 33–38, Sept. 1994.
C. Neuman, T. Yu, S. Hartman, and K. Raeburn. RFC 4120: The Kerberos Network Authentication
Service (V5), July 2005. Proposed Standard; obsoletes RFC 1510.
A. Pashalidis and C. J. Mitchell. A taxonomy of single sign-on systems. In Australasian Conf. on Info.
Security & Privacy (ACISP), pages 249–264, 2003.
S. Patel. Number theoretic attacks on secure password schemes. In IEEE Symp. Security and Privacy,
pages 236–247, 1997.
C. Schnorr. Efficient signature generation by smart cards. Journal of Cryptology, 4(3):161–174, 1991.
R. Shekh-Yusef, D. Ahrens, and S. Bremer. RFC 7616: HTTP Digest Access Authentication, Sept.
2015. Proposed Standard. Obsoletes RFC 2617.
M. Steiner, G. Tsudik, and M. Waidner. Refinement and extension of encrypted key exchange. ACM
Operating Sys. Review, 29(3):22–30, 1995.
L. Valenta, D. Adrian, A. Sanso, S. Cohney, J. Fried, M. Hastings, J. A. Halderman, and N. Heninger.
Measuring small subgroup attacks against Diffie-Hellman. In Netw. Dist. Sys. Security (NDSS), 2017.
P. C. van Oorschot. Extending cryptographic logics of belief to key agreement protocols. In ACM
Comp. & Comm. Security (CCS), pages 232–243, 1993.
P. C. van Oorschot and M. J. Wiener. On Diffie-Hellman key agreement with short exponents. In
EUROCRYPT, pages 332–343, 1996.
P. C. van Oorschot and M. J. Wiener. Parallel collision search with cryptanalytic applications. Journal
of Cryptology, 12(1):1–28, 1999.
R. Wang, S. Chen, and X. Wang. Signing me onto your accounts through Facebook and Google: A
traffic-guided security study of commercially deployed single-sign-on web services. In IEEE Symp.
Security and Privacy, pages 365–379, 2012.
T.Wu. RFC 2945: The SRP Authentication and Key Exchange System, Sept. 2000. RFC 2944 (Telnet)
and RFC 5054 (TLS) rely on SRP; see also http://srp.stanford.edu/ (Stanford SRP Homepage).
T. D. Wu. The secure remote password protocol. In Netw. Dist. Sys. Security (NDSS), 1998.
T. D. Wu. A real-world analysis of Kerberos password security. In Netw. Dist. Sys. Security (NDSS),
R. Zuccherato. RFC 2785: Methods for Avoiding the “Small-Subgroup” Attacks on the Diffie-Hellman
Key Agreement Method for S/MIME, Mar. 2000. Informational.