密钥协商协议及其应用研究
|
摘要
随着计算机和通信网络逐渐深入人们的生活,越来越多的人开始关注信息的安全。密钥协商协议在通信系统中为通信的参与者提供身份认证,并为参与者生成一个用来加密传递消息的临时会话密钥。
密钥协商协议要用到的密码学原语有加密算法、Hash算法、MAC、签名算法等。根据参与者数目的不同,密钥协商协议分为两方密钥协商协议、三方密钥协商协议和组密钥协商协议。除了隐含的密钥认证和密钥确认,密钥协商协议还应该具备如下一些性质:已知会话密钥安全、前向安全、没有密钥泄漏模仿、没有未知密钥共享攻击、没有密钥控制。在效率方面,密钥协商协议应该考虑通信复杂度和计算复杂度,其中通信复杂度包括:轮复杂度和传输的数据量。本文从两方密钥协商协议、三方密钥协商协议、组密钥协商协议及应用等方面对密钥协商协议进行深入研究,得到如下研究结果:
1.指出只要做一个简单的认证,Chien等提出的对Chang等的数字签名方案的伪造攻击就是无效的。同时,对Chang等的签名方案提出了一个新的伪造攻击,并给出了改进方案(ZYWPC方案)。在没有随机Oracle的情况下,证明了ZYWPC方案具有存在性不可伪造的安全性。
2.Harn的协议是一个没有单向Hash函数的认证多密钥协商协议。由于它不提供用户认证而容易受到重放攻击、未知密钥共享攻击和DoS攻击。Zhou等对Harn的协议进行了攻击,并给出了修改的协议。本文指出Zhou等的协议易受级联攻击,并提出了一个改进的多密钥协商协议,此协议比Harn的协议更安全,更高效。本文的这个协议提供了用户认证和共享密钥认证,可以避免级联攻击。本文的协议需要传递3次消息,运行一次该协议,参与者可以得到四个密钥;如果A和B希望共享n~2个密钥,那么每个参与者必须传递n个临时公钥。
3.提出了一个两方密钥协商协议,这个协议用ZYWPC签名方案提供认证,并在没有随机Oracle的情况下证明了协议的安全性。
4.提出了一个不使用Hash函数的基于DDH问题的组密钥协商协议,并利用Bresson等的安全模型分析了协议的安全性。这个协议在通信和计算上都是高效的,协议需要的轮数为2,每个用户需要发送的消息数为6。
5.为了满足远程控制主机的需要,微软公司设计了远程桌面协议(RDP)。RDP协议虽然方便了用户对远程主机的操作,但是也带来了一些安全问题。一些研究者指出,RDP协议容易受到中间人攻击。本文针对这一问题,提出了一个新的可以增强认证性的密码套件RDP-SKE,并在随机Oracle模型下证明了其安全性。RDP-SKE能够使RDP协议避免中间人攻击,同时也能避免恶意或粗心CA带来的安全危害。如果不考虑helper的加入,RDP-SKE没有增加客户端和服务器的交互次数。
With the wide usage of computers and communication network in our lives, more and more people concern the security of information. An authenticated key agreement protocol is used to provide authentication in communication systems, and produces a short-time key that can encrypt the transferred information.
The encryption algorithms, Hash functions, MAC algorithms and digital signature schemes are the primitives which are used in the key agreement protocols. There are three kind of key agreement protocols: two-party key agreement protocols, three-party key agreement protocols, group key agreement protocols. Besides key authentication and key confirmation, a number of desirable security attributes have been identified for key agreement protocols: known-session key security, forward secrecy, no key-compromise impersonation, no unknown key-share, no key control. In addition to the security, we must consider the efficiency which includes communication cost and computation complexity. This paper researches two-party key agreement protocols, three-party key agreement protocols, group key agreement protocols and the applications. Main achievements in this paper are summarized as follows:
1. The paper point out that Chien et al's attack on Chang et al's digital signature scheme will not work by a simple verification. Then we show another forgery attack on it and propose an improved scheme (ZYWPC), which is secure against existential forgery attacks.
2. Harn's protocol is an authenticated multiple-key agreement protocol without using a Hash function. But, it doesn't provide user authentication, so isn't against replay attack, resource-exhaustion, unknown key-share attack and DOS attack. Zhou et al. give an attack on Harn's protocol, and give an improved protocol. This paper points out that Zhou's protocol is vulnerable to a concatenation attack, and proposes an improved authenticated multi-key agreement protocol which is more secure and efficient than Harn's protocol. The protocol provides both user authentication and shared-key authentication, so it can escape the concatenation attack. Our protocol must pass three times. The entities can get 4 keys by run our protocol. If two users want to share n~2 keys, each entity must transmit n short-term public keys.
3. This paper proposes a two party key agreement protocol by modifying ZYWPC and proves the security without random oracle.
4. This paper proposes a group key agreement protocol without using Hash functions based on DDH problem. The protocol achieves efficiency in both communication and computation aspects. We analyze its security in the security model formalized by Bresson et al. The number of rounds required is 2, and the number of messages sent per participant is 6.
5. Remote Desktop Protocol (RDP) was designed for remote controlling the hosts by Microsoft. RDP brought the convenience and the risk to users. Many researchers showed that it was vulnerable by man-in-middle attack. In this paper, a new ciphersuite (RDP-SKE) was proposed, which can offer strong authentication. It is shown that RDP-SKE is provably secure in random oracle model. RDP can escape man-in-middle attack and the damage that results from a malicious or careless Certification Authority (CA) by adopting RDP-SKE. Without considering the helper, RDP-SKE doesn't increate the passes between the client and the server.
密钥协商协议要用到的密码学原语有加密算法、Hash算法、MAC、签名算法等。根据参与者数目的不同,密钥协商协议分为两方密钥协商协议、三方密钥协商协议和组密钥协商协议。除了隐含的密钥认证和密钥确认,密钥协商协议还应该具备如下一些性质:已知会话密钥安全、前向安全、没有密钥泄漏模仿、没有未知密钥共享攻击、没有密钥控制。在效率方面,密钥协商协议应该考虑通信复杂度和计算复杂度,其中通信复杂度包括:轮复杂度和传输的数据量。本文从两方密钥协商协议、三方密钥协商协议、组密钥协商协议及应用等方面对密钥协商协议进行深入研究,得到如下研究结果:
1.指出只要做一个简单的认证,Chien等提出的对Chang等的数字签名方案的伪造攻击就是无效的。同时,对Chang等的签名方案提出了一个新的伪造攻击,并给出了改进方案(ZYWPC方案)。在没有随机Oracle的情况下,证明了ZYWPC方案具有存在性不可伪造的安全性。
2.Harn的协议是一个没有单向Hash函数的认证多密钥协商协议。由于它不提供用户认证而容易受到重放攻击、未知密钥共享攻击和DoS攻击。Zhou等对Harn的协议进行了攻击,并给出了修改的协议。本文指出Zhou等的协议易受级联攻击,并提出了一个改进的多密钥协商协议,此协议比Harn的协议更安全,更高效。本文的这个协议提供了用户认证和共享密钥认证,可以避免级联攻击。本文的协议需要传递3次消息,运行一次该协议,参与者可以得到四个密钥;如果A和B希望共享n~2个密钥,那么每个参与者必须传递n个临时公钥。
3.提出了一个两方密钥协商协议,这个协议用ZYWPC签名方案提供认证,并在没有随机Oracle的情况下证明了协议的安全性。
4.提出了一个不使用Hash函数的基于DDH问题的组密钥协商协议,并利用Bresson等的安全模型分析了协议的安全性。这个协议在通信和计算上都是高效的,协议需要的轮数为2,每个用户需要发送的消息数为6。
5.为了满足远程控制主机的需要,微软公司设计了远程桌面协议(RDP)。RDP协议虽然方便了用户对远程主机的操作,但是也带来了一些安全问题。一些研究者指出,RDP协议容易受到中间人攻击。本文针对这一问题,提出了一个新的可以增强认证性的密码套件RDP-SKE,并在随机Oracle模型下证明了其安全性。RDP-SKE能够使RDP协议避免中间人攻击,同时也能避免恶意或粗心CA带来的安全危害。如果不考虑helper的加入,RDP-SKE没有增加客户端和服务器的交互次数。
With the wide usage of computers and communication network in our lives, more and more people concern the security of information. An authenticated key agreement protocol is used to provide authentication in communication systems, and produces a short-time key that can encrypt the transferred information.
The encryption algorithms, Hash functions, MAC algorithms and digital signature schemes are the primitives which are used in the key agreement protocols. There are three kind of key agreement protocols: two-party key agreement protocols, three-party key agreement protocols, group key agreement protocols. Besides key authentication and key confirmation, a number of desirable security attributes have been identified for key agreement protocols: known-session key security, forward secrecy, no key-compromise impersonation, no unknown key-share, no key control. In addition to the security, we must consider the efficiency which includes communication cost and computation complexity. This paper researches two-party key agreement protocols, three-party key agreement protocols, group key agreement protocols and the applications. Main achievements in this paper are summarized as follows:
1. The paper point out that Chien et al's attack on Chang et al's digital signature scheme will not work by a simple verification. Then we show another forgery attack on it and propose an improved scheme (ZYWPC), which is secure against existential forgery attacks.
2. Harn's protocol is an authenticated multiple-key agreement protocol without using a Hash function. But, it doesn't provide user authentication, so isn't against replay attack, resource-exhaustion, unknown key-share attack and DOS attack. Zhou et al. give an attack on Harn's protocol, and give an improved protocol. This paper points out that Zhou's protocol is vulnerable to a concatenation attack, and proposes an improved authenticated multi-key agreement protocol which is more secure and efficient than Harn's protocol. The protocol provides both user authentication and shared-key authentication, so it can escape the concatenation attack. Our protocol must pass three times. The entities can get 4 keys by run our protocol. If two users want to share n~2 keys, each entity must transmit n short-term public keys.
3. This paper proposes a two party key agreement protocol by modifying ZYWPC and proves the security without random oracle.
4. This paper proposes a group key agreement protocol without using Hash functions based on DDH problem. The protocol achieves efficiency in both communication and computation aspects. We analyze its security in the security model formalized by Bresson et al. The number of rounds required is 2, and the number of messages sent per participant is 6.
5. Remote Desktop Protocol (RDP) was designed for remote controlling the hosts by Microsoft. RDP brought the convenience and the risk to users. Many researchers showed that it was vulnerable by man-in-middle attack. In this paper, a new ciphersuite (RDP-SKE) was proposed, which can offer strong authentication. It is shown that RDP-SKE is provably secure in random oracle model. RDP can escape man-in-middle attack and the damage that results from a malicious or careless Certification Authority (CA) by adopting RDP-SKE. Without considering the helper, RDP-SKE doesn't increate the passes between the client and the server.
引文
[1]沈昌祥,张焕国,冯登国,曹珍富,黄继武.信息安全综述.中国科学E辑:信息科学,2007,32(2),pp.129-150.
[2]Pfleeger C P and Pfleeger S L.Security in Computing,3rd Editon.NJ:Prentice Hall.2003.
[3]孟庆树,王丽娜,傅建明等(译).密码编码学与网络安全--原理与实践(第四版).西安:电子工业出版社,2006.
[4]卿斯汉,刘文清,温红予.操作系统安全.北京:清华大学出版社,2004.
[5]Ratna Dutta,Rana Barua.Overview of Key Agreement Protocols.Available at http://citeseer.ist.psu.edu/7 41710.html,2006.
[6]Diffie W and Hellman M.New Directions in Cryptography.In IEEE Transaction on Information Theory,1976,22(6),pp.644-654.
[7]Blake-Wilson S,Johnson D,and Menezes A.Key Agreement Protocols and Their Security Analysis.Proc of the sixth IMA International Conference on Cryptography and Coding,LNCS 1355,Springer-Verlag,1997,pp.30-45.
[8]Blake-Wilson S and Menezes A.Authenticated Diffie-Hellman Key Agreement Protocols.5th Annual Workshop on Selected Areas in Cryptography(SAC'98),LNCS 1556.Springer-Verlag 1998,pp.339-361.
[9]Law L,Menezes A,Qu M,Solinas J,and Vanstone S.An Efficient Protocol for Authenticated Key Agreement.Technical Report CORR 98-05,Department of C & O,University of Waterloo,1998.
[10]Kaliski B.An Unknown Key-Share Attack on The MQV Key Agreement Protocol.ACM Trans.on Information and Systems Security,2001,4(3),pp.275-288.
[11]Bellare M and Rogaway P.Random Oracles are Practical:A Paradigm for Designing Efficient Protocols.In proceedings of ACM CCS 1993,ACM Press,1993,pp.62-73.
[12]Bellare M,Canetti R and Krawczyk H.A Modular Approach to the Design and Analysis of Authentication and Key Exchange Protocols.In proceedings of the 30th Annual Symposium on the Theory of Computing.ACM Press,1998,pp.419-428.Available at http://www.cs.edu/users/mihir/papers/key-distribution,html/.
[13]Bresson E,Chevassut O and Pointcheval D.Dynamic Group Diffie-Hellman Key Exchange under Standard Assumptions.In proceedings of Eurocrypt 2002,LNCS 2332, Springer-Verlag, 2002, pp.321-336.
[14] Bresson E, Chevassut O, and Pointcheval D. Provably Authenticated Group Diffie-Hellman Key Exchange - The Dynamic Case. In proceedings of Asiacrypt 2001, LNCS 2248, Springer-Verlag, 2001, pp. 290-309.
[15] Bresson E, Chevassut O, Pointcheval D, and J. Quisquater J. Provably Authenticated Group Diffie-Hellman Key Exchange. In proceedings of ACM CCS 2001, ACM Press, 2001, pp. 255-264.
[16] Shamir A. Identity-based Cryptosystems and Signature Schemes. In proceedings of Cryptol984, LNCS 196, Springer-Verlag, 1984, pp. 47-53.
[17] Girault M and Paillers J C. An Identity Based Scheme Providing Zero- knowledge Authenticated Key Exchange. In proceedings of ESORICS 1990,1990, pp. 173-184.
[18] Okamoto E. Proposal for Identity Based Key Distribution System. In Electronic Letters, 1986,22, pp. 1283-1284.
[19] Cocks C. An Identity Based Encryption Scheme based on Quadratic Residues. In Cryptography and Coding, LNCS 2260, Springer-Verlag, 2001, pp. 360-363. http://www.cesg.gov.uk/site/ast/idpkc/media/ciren.pdf.
[20] Boneh D. and Franklin M. Identity-Based Encryption from Weil Pairing. In proceedings of Crypto 2001, LNCS 2139, Springer-Verlag, 2001, pp. 213-229.
[21] Dutta R, Barua R and Sarkar P. Pairing Based Cryptographic Protocols : A Survey. Manuscript 2004. Available at http://eprint.iacr.org/2004/ 064.
[22] Matsumoto T, Takashima Y and Imai H. On Seeking Smart Public-key Distribution Systems. Transactions of the IECE of Japan, 1986, 69, pp. 99-106.
[23] Scott M. Authenticated ID-based Key Exchange and Remote Log-in with Insecure Token and PIN Number. Available at http://eprint.iacr.org/2002/164.
[24] Joux A. A One Round Protocol for Tripartite Diffie-Hellman. In proceedings of ANTS 4, LNCS 1838, Springer-Verlag, 2000, pp. 385-394.
[25] Smart N P. An Identity-based Authenticated Key Agreement Protocol Based on the Weil Pairing. In Electronic Letters, 2002, 38, pp. 630-632.
[26] Chen L and Kudla C. Identity Based Authenticated Key Agreement Protocols from Pairings. Available at http://eprint.iacr.Org/2002/l84.
[27] Shim K. Efficient ID-based Authenticated Key Agreement Protocol Based on the Weil Pairing. In Electronic Letters, 2003, Vol 39(8), pp. 653-654.
[28] Sun H M and Hsieh B T. Security Analysis of Shim's Authenticated Key Agreement Protocols from Pairings. Available at http://eprint.iacr.Org/2003/113.
[29] McCullagh N and Barreto P S L M. A New Two-Party Identity-Based Authenticated Key Agreement. In proceedings of CT-RSA 2005, LNCS 3376, Springer-Verlag, 2005, pp. 262-274. Also available at http://eprint.iacr.org/2004 /122.
[30] Xie G. Cryptanalysis of Noel McCullagh and Paulo S. L. M. Barreto's Two- party Identity-Based Key Agreement. Available at http://eprint.iacr.org/2004/ 308.
[31] Jeong I R, Katz J and Lee D H. One-Round Protocols for Two-Party Authenticated Key Exchange. In proceedings of ACNS 2004, LNCS 3089, Springer-Verlag, 2004, pp. 220-232.
[32] Al-Riyami S and Paterson K G. Tripartite Authenticated Key Agreement Protocols from Pairings. In proceedings of IMA Conference of Cryptography and Coding, LNCS 2898, pp.332-359. Also available at http://eprint.iacr.org/ 2002/035.
[33] Shim K. Cryptanalysis of Al-Riyami-Paterson's Authenticated Three Party Key Agreement Protocols. Available at http://eprint.iacr.org/2003/122.
[34] Nalla D. ID-Based Tripartite Key Agreement with Signature. Available at http://eprint.iacr.org/2003/144.
[35] Nalla D and Reddy K C. ID-Based Tripartite Authenticated Key Agreement Protocols from Pairings. Available at http://eprint.iacr.org/2003/004.
[36] Chen Z. Security Analysis on Nalla-Reddy's ID-based Tripartite Authenticated Key Agreement Protocol. Available at http://eprint.iacr.org/2003/103.
[37] Shim K. Cryptanalysis of ID-Based Tripartite Authenticated Key Agreement Protocol. Available at http://eprint.iacr.org/2003/115.
[38] Zhang F, Liu S and Kim K. ID-based One Round Authenticated Tripartite Key Agreement Protocol with Pairings. Available at http://eprint.iacr.org/2002/122.
[39] Hess F. Efficient Identity Based Signature Schemes Based on Pairings. In proceedings of SAC 2002, LNCS 2595, Springer-Verlag, 2002, pp. 310-324.
[40] Ingemarsson I, Tang D T, and Wong C K. A Conference Key Distribution System. In IEEE Transactions on Information Theory, 1982, Vol 28(5), pp. 714-720.
[41] Burmester M and Desmedt Y. A Secure and Efficient Conference Key Distribution System. In proceedings of Eurocrypt 1994,LNCS 950,Springer- Verlag,1995,pp.275-286.
[42]Steiner M,Tsudik G,Waidner M.Diffie-Hellman Key Distribution Extended to Group Communication.In proceedings of ACM CCS 1996,ACM Press,1996,pp.31-37.
[43]Becker K and Wille U.Communication Complexity of Group Key Distribution.In proceedings of ACM CCS 1998,ACM Press,1998,pp.1-6.
[44]Ateniese G,Steiner M,and Tsudik G.Authenticated Group Key Agreement and Friends.In proceedings of ACM CCS 1998[1],ACM Press,1998,pp.17-26.
[45]Ateniese G,Steiner M,and Tsudik G.New Multi-party Authenticated Services and Key Agreement Protocols.In Journal of Selected Areas in Communications IEEE,2000,18(4),pp.1-13.
[46]Steiner M,Tsudik G and Waidner M.Cliques:A New Approach to Group Key Agreement.In IEEE Conference on Distributed Computing Systems,May 1998,pp.380.
[47]Pereira O and Quisquater J J.A Security Analysis of the Cliques Protocol Suite.In Computer Security Fotmdations Workshop(CSFW 2001),IEEE Computer Society Press,2001,pp.73-81.
[48]Goldreich O.Secure Multi-party Computation,Working Draft,Version 1.3,June 24,2001.Available from http://www.wisdom.weizmann.ac.il/-oded/pp.html/.
[49]Abdalla M,Bresson E and Chevassut O,et al.Password-based Group Key Exchangein a Constant Number of Rounds.International Workshop on Practice and Theory in Public Key Cryptography(PKC 2006),New York City,USA,April 2006.
[50]柯召,孙琦.述论讲义(上册).北京:高等教育出版社,2002,pp.145.
[51]Davis R M.The Data Encryption Standard in Perspective.Computer Security and the Data Encryption Standard,National Bureau of Standards,Specal Publication.Feb 1978.
[52]NBS FIPS PUB 46.Data Encryption Standard.National Bureau of Standards,U.S.Department of Commerce,1977.
[53]NBA FIPS PUB 46-1.Data Encryption Standard.National Bureau of Standards,US.Department of Commerce,1988,Available at http://www.itl.nist.gov/fipspubs/fip46-2.htm
[54]Lai X and Massey J.A Proposal for a New Block Encryption Standard.In Proceeding of EUROCRYPT'90,Springer-Verlag,Berlin,1991,Available at http://www.springedink.com/index/J6L82X42B14C744E.pdf.
[55]Joan Danmen,Vincent Rijmen.AES Proposal:Rijndael.AES algorithm submission,September 3,1999,Available at http://www.nist.gov/aes.
[56]Joan Danmen,Vincent Rijmen.The AES Second Rond Comments of the Rjndael.AES Round 2 Public Comment,May 12,2000,Available at http://www.nist.gov/aes.
[57]Danmen J and Rijmen V.Answer to 'New Observations on Rijndael'.AES Forum Comment,August 11,2000,Available at http://www.east.kuleuven,ac.be/-rijmen/rijndael/.
[58]Rivest R L,Hellman M E,Anderson J C.and Lyons J W.Responses to NIST's proposal.Communications of the ACM,July 1992,35(7),pp.41-54.
[59]Robshaw M J B.Security of RC4.Technical Report TR-401,RSA Laboratories,July 1994.
[60]Schneier B.Applied Cryptography-Protocols,Algorithms,and Source Code in C.John Wiley & Sons,Inc.,1996.
[61]Rivest R L,Shamir A and Adleman L,A Method for Obtaining Digital Signatures and Public-key Cryptosystem.Comm.,ACM,Feb 1978,21(2),pp.120-126.
[62]RFC 1321.The MD5 Message-Digest Algorithm.Internet Request for Comments 1321,Rivest R L,April 1992(presented at Rump Session of CRYPTO'91),Available at http://www.faqs.org/rfcs/rfc1321.html.
[63]FIPS180.Secure Hash Standard.Federal Information Processing Standards Publication (FIPS PUB) 180,U.S.Department of Commerce/N.I.S.T.,National Technical Information Service,Springfield,Virginia,11 May,1993.
[64]FIPS 180-1.Secure Hash Standard.Federal Information Processing Standards Publication (FIPS PUB) 180-1,U.S.Department of Commerce/N.I.S.T.,National Technical Information Service,Springfield,Virginia,17 Apr.1993,Available at www.itl.nist.gov/fipspubs/fip 180-1.htm.
[65]Wenbo Mao著,王继林,伍前红等译,王育民,姜正涛审校.现代密码学理论与实践,北京:电子工业出版社,2004,pp.230.
[66]Elgamal T.A public-key cryptosystem and a signature scheme based on discrete logarithms.Advances in Cryptology-CRYPTO' 84 Proceedings,Springer-Verlag,1985,pp.10-18;also in IEEE Trans.On Information Theory,1985,31(4),pp.469-472.
[67]FIPS 186.Digital Signature Standard(DSS).Federal Information Processing Standards Publication(FIPS PUB) 185.U.S.Department of Commerce/N.I.S.T.,National Technical Information Service, Springfield, Virginia, 1994.
[68] National Institute of Standards and Technology, NIST FIPS PUB 186. Digital Signature Standard. U.S.Department of Commerce, May 1994. Available at http://www.itl.nist.gov/fipspubs/fip 186.htm
[69] Kravitz D W. Digital Signature Algorithm. U.S.Patent #5,231,668,27 July 1993.
[70] Shieh S P, Lin C T and Yang W B, et al. Digital multi-signature schemes for authenticating delegates in mobile code systems. IEEE Trans. Veh. Technol., 2000,49, pp. 1464-1473.
[71] Chien H Y, Jan J K and Tseng YM. Forgery attacks on multi-signature schemes for authenticating mobile code delegates. IEEE Trans. Veh. Technol., Nov. 2002, 51, pp. 1669-1671.
[72] Wu T C andHsu C L. Cryptanalysis of digital multi-signature schemes for or authenticating delegates gates in mobile code systems. IEEE Trans. ans. Veh. eh. Technol., Mar 2003, 52, pp.462-465.
[73] Hwang S J and Li E T. Cryptanalysis of Shieh-Lin-Yang-Sun signature scheme. IEEE Commun. Lett., Apr. 2003, 7, pp. 195-196.
[74] Chang C C and Chang Y F. Signing a digital signature without using one-way hash functions and message redundancy schemes. IEEE Commun. Lett., Aug. 2004, 8, pp.485-487.
[75] Chien H Y. Forgery Attacks on Digital Signature Schemes without using One-way Hash and Message Redundancy, IEEE Commun. Lett., May. 2006,10, pp.324-325.
[76] Boneh Dan and Boyen Xavier. Short Signatures Without Random Oracles, EUROCRYPT '04, Lecture Notes in Computer Science, Springer-Verlag, Berlin, 2004, pp.56-73.
[77] Kaliski B. Contribution to ANSI X9F1 and IEEE P1363 working group, June 1998.
[78] Bellare M and Rogaway P. Entity Authentication and Key Distribution. In proceedings of Crypto 1993, LNCS 773, Springer-Verlag, 1994, pp. 231-249.
[79] Harn L and Lin H Y. An Authenticated Key Agreement without Using One-Way Hash Functions. Proc. 8th Nat. Conf. Information Security, Taiwan, 1998, pp. 155-160.
[80] Harn L and Lin H Y. Authenticated Key Agreement without Using One-Way Hash Functions. Electron. Lett., 2001,37(10), pp. 629-630.
[81] Zhou H S, Fan L and Li J H. Remarks on Unknown Key-Share Attack on Authenticated Multiple-Key Agreement Protocol. Electron. Lett., 2003, 39(17), pp. 1248-1249.
[82] YEN S M and JOYE M. Improved Authenticated Multiple-Key Agreement Protocol. Electron. Lett., 1998,34(18), pp.1738-1739.
[83] Wu T S, He W H and HSU C L. Security of Authenticated Multiple-Key Agreement Protocols. Electron. Lett., 1999, 35 (5), pp.391-392.
[84] Hwang M S, Lin C W and Lee C C. Improved Yen-Joye's Authenticated Multiple-Key Agreement Protocol. Electron. Lett., 2002, 38(23), pp. 429-1431.
[85] Harn L, Hsin W J and Mehta M. Authenticated Diffie-Hellman Key Agreement Protocol Using a Single Cryptographic Assumption. IEE Proc. Commun., 2005, 152(4), pp. 404-410.
[86] Menezes A J, Qu M and Vanstone S A. Some Key Agreement Protocols Providing Implicit Authentication. 2nd Workshop Selected Areas in Cryptography, 1995
[87] Zhou L, Susilo W and Mu Y. Efficient ID-Based Authenticated Group Key Agreement from Bilinear Pairings. MSN 2006, LNCS 4325, Springer-Verlag, 2006, pp. 521-532.
[88] Bellare M, Pointcheval D and Rogaway P. Authenticated Key Exchange Secure against Dictionary Attacks. EUROCRYPT 2000, LNCS 1807, Springer-Verlag, 2000, pp. 139-154.
[89] Abdalla M and Pointcheval D. A Scalable Password-Based Group Key Exchange Protocol in the Standard Model. ASIACRYPT 2006, LNCS 4284, Springer-Verlag, 2006, pp. 332-347.
[90] Nalla D and Reddy K C. Identity Based Authenticated Group Key Agreement Protocol. In proceedings of Indocrypt 2002, LNCS 2551, Springer-Verlag, 2002, pp. 215-233.
[91] Bellare M and Rogaway P. Provably Secure Session Key Distribution: The Three-party Case. In proceedings of STOC 1995, ACM Press, 1995, pp. 57-66.
[92] Xie G. Cryptanalysis of Noel McCullagh and Paulo S. L. M. Barreto's Two-party Identity-Based Key Agreement. Available at http://eprint.iacr. org/2004/308.
[93] Choo K K R. Revisit of McCullagh-Barreto Two-Party ID-Based Authenticated Key Agreement Protocols. Available at http://eprint.iacr.org/204/343.
[94] Kwon J O, Jeong I R, Sakurai K, Lee D H. Efficient verifier-based password-authenticated key exchange in the three-party setting. Computer Standards & Interfaces, 2007, 29, 513-520.
[95]Burmester M and Desmedt Y.A Secure and Scalable Group Key Exchange System.In Information Processing Letters,2005,94(3),pp.137-143.
[96]Bresson E and Catalano D.Constant Round Authenticated Group Key Agreement via Distributed Computing.In proceedings of PKC 2004,LNCS 2947,Springer-Vedag,2004,pp.115-129.
[97]Zhou L,Susilo W and Mu Y.Efficient ID-Based Authenticated Group Key Agreement from Bilinear Pairings.MSN 2006,LNCS 4325,Springer-Verlag,2006.521-532.
[98]Bresson E,Chevassut O,Essiari A and Pointcheval D.Mutual Authentication and Group Key Agreement for Low-power Mobile Devices.Computer Communication,2004,27(17),pp.1730-1737.Full version available at http://www.di.ens.fr/bresson.
[99]Nam J,Kim S and Won D.Attacks on Bresson-Chevassut-Essiari-Pointcheval's Group Key Agreement Scheme for Low-Power Mobile Devices.Available at http://eprint.iacr.org/2004/251.
[100]Nam J,Kim S and Won D.Provably-Secure and Communication-Efficient Scheme for Dynamic Group Key Exchange.Available at http://eprint.iacr.org/2004/115.
[101]Abdalla M,Bresson E and Chevassut O et al.Strong Password-Based Authentication in TLS.International Journal of Security and Networks,2007,2(3),pp.284-296.
[102]刁俊峰,温巧燕.软件安全中的若干关键技术研究[D].北京邮电大学,2007,pp.41-55.
[103]Wu L f,Zhang Y Q and Wang F J.A New Provably Secure Authentication and Key Agreement Protocol for SIP Using ECC.Available at http://eprint.iacr.org/2007/219.
[104]Salsano S,Veltri L and Papalilo D.SIP security issues:the SIP authentication procedure and its processing load.IEEE Network,2002,16(6),pp.38-44.
[105]RFC3261.Available at www.faqs.org/rfcs/rfc3261.html.
[106]Canetti R and Krawczyk H.Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels.Proceedings of Eurocrpt'01,LNCS 2045,Springer-Verlag,Berlin,2001,pp.453-474.
[107]RFC3310.Available at http://www.faqs.org/rfcs/rfc3310.html.
[108]Microsoft.Remote Desktop Protocol(RDP) Features and Performance White Paper.Available at www.microsoft.com,June 27,2000.
[109]ITU-T.Multipoint Communication Service-Service Definition.International Telecommunication Union,Available at http://www.itu.int/.02/98.
[110]Bresson E,Chevassut O,and Pointcheval D.Cryptography for Secure Dynamic Group Communication.U.S.Patent Application 20050157874,November 30,2004.http://www.lbl.gov/Tech-Transfer/techs/lbnl1973.html.
[2]Pfleeger C P and Pfleeger S L.Security in Computing,3rd Editon.NJ:Prentice Hall.2003.
[3]孟庆树,王丽娜,傅建明等(译).密码编码学与网络安全--原理与实践(第四版).西安:电子工业出版社,2006.
[4]卿斯汉,刘文清,温红予.操作系统安全.北京:清华大学出版社,2004.
[5]Ratna Dutta,Rana Barua.Overview of Key Agreement Protocols.Available at http://citeseer.ist.psu.edu/7 41710.html,2006.
[6]Diffie W and Hellman M.New Directions in Cryptography.In IEEE Transaction on Information Theory,1976,22(6),pp.644-654.
[7]Blake-Wilson S,Johnson D,and Menezes A.Key Agreement Protocols and Their Security Analysis.Proc of the sixth IMA International Conference on Cryptography and Coding,LNCS 1355,Springer-Verlag,1997,pp.30-45.
[8]Blake-Wilson S and Menezes A.Authenticated Diffie-Hellman Key Agreement Protocols.5th Annual Workshop on Selected Areas in Cryptography(SAC'98),LNCS 1556.Springer-Verlag 1998,pp.339-361.
[9]Law L,Menezes A,Qu M,Solinas J,and Vanstone S.An Efficient Protocol for Authenticated Key Agreement.Technical Report CORR 98-05,Department of C & O,University of Waterloo,1998.
[10]Kaliski B.An Unknown Key-Share Attack on The MQV Key Agreement Protocol.ACM Trans.on Information and Systems Security,2001,4(3),pp.275-288.
[11]Bellare M and Rogaway P.Random Oracles are Practical:A Paradigm for Designing Efficient Protocols.In proceedings of ACM CCS 1993,ACM Press,1993,pp.62-73.
[12]Bellare M,Canetti R and Krawczyk H.A Modular Approach to the Design and Analysis of Authentication and Key Exchange Protocols.In proceedings of the 30th Annual Symposium on the Theory of Computing.ACM Press,1998,pp.419-428.Available at http://www.cs.edu/users/mihir/papers/key-distribution,html/.
[13]Bresson E,Chevassut O and Pointcheval D.Dynamic Group Diffie-Hellman Key Exchange under Standard Assumptions.In proceedings of Eurocrypt 2002,LNCS 2332, Springer-Verlag, 2002, pp.321-336.
[14] Bresson E, Chevassut O, and Pointcheval D. Provably Authenticated Group Diffie-Hellman Key Exchange - The Dynamic Case. In proceedings of Asiacrypt 2001, LNCS 2248, Springer-Verlag, 2001, pp. 290-309.
[15] Bresson E, Chevassut O, Pointcheval D, and J. Quisquater J. Provably Authenticated Group Diffie-Hellman Key Exchange. In proceedings of ACM CCS 2001, ACM Press, 2001, pp. 255-264.
[16] Shamir A. Identity-based Cryptosystems and Signature Schemes. In proceedings of Cryptol984, LNCS 196, Springer-Verlag, 1984, pp. 47-53.
[17] Girault M and Paillers J C. An Identity Based Scheme Providing Zero- knowledge Authenticated Key Exchange. In proceedings of ESORICS 1990,1990, pp. 173-184.
[18] Okamoto E. Proposal for Identity Based Key Distribution System. In Electronic Letters, 1986,22, pp. 1283-1284.
[19] Cocks C. An Identity Based Encryption Scheme based on Quadratic Residues. In Cryptography and Coding, LNCS 2260, Springer-Verlag, 2001, pp. 360-363. http://www.cesg.gov.uk/site/ast/idpkc/media/ciren.pdf.
[20] Boneh D. and Franklin M. Identity-Based Encryption from Weil Pairing. In proceedings of Crypto 2001, LNCS 2139, Springer-Verlag, 2001, pp. 213-229.
[21] Dutta R, Barua R and Sarkar P. Pairing Based Cryptographic Protocols : A Survey. Manuscript 2004. Available at http://eprint.iacr.org/2004/ 064.
[22] Matsumoto T, Takashima Y and Imai H. On Seeking Smart Public-key Distribution Systems. Transactions of the IECE of Japan, 1986, 69, pp. 99-106.
[23] Scott M. Authenticated ID-based Key Exchange and Remote Log-in with Insecure Token and PIN Number. Available at http://eprint.iacr.org/2002/164.
[24] Joux A. A One Round Protocol for Tripartite Diffie-Hellman. In proceedings of ANTS 4, LNCS 1838, Springer-Verlag, 2000, pp. 385-394.
[25] Smart N P. An Identity-based Authenticated Key Agreement Protocol Based on the Weil Pairing. In Electronic Letters, 2002, 38, pp. 630-632.
[26] Chen L and Kudla C. Identity Based Authenticated Key Agreement Protocols from Pairings. Available at http://eprint.iacr.Org/2002/l84.
[27] Shim K. Efficient ID-based Authenticated Key Agreement Protocol Based on the Weil Pairing. In Electronic Letters, 2003, Vol 39(8), pp. 653-654.
[28] Sun H M and Hsieh B T. Security Analysis of Shim's Authenticated Key Agreement Protocols from Pairings. Available at http://eprint.iacr.Org/2003/113.
[29] McCullagh N and Barreto P S L M. A New Two-Party Identity-Based Authenticated Key Agreement. In proceedings of CT-RSA 2005, LNCS 3376, Springer-Verlag, 2005, pp. 262-274. Also available at http://eprint.iacr.org/2004 /122.
[30] Xie G. Cryptanalysis of Noel McCullagh and Paulo S. L. M. Barreto's Two- party Identity-Based Key Agreement. Available at http://eprint.iacr.org/2004/ 308.
[31] Jeong I R, Katz J and Lee D H. One-Round Protocols for Two-Party Authenticated Key Exchange. In proceedings of ACNS 2004, LNCS 3089, Springer-Verlag, 2004, pp. 220-232.
[32] Al-Riyami S and Paterson K G. Tripartite Authenticated Key Agreement Protocols from Pairings. In proceedings of IMA Conference of Cryptography and Coding, LNCS 2898, pp.332-359. Also available at http://eprint.iacr.org/ 2002/035.
[33] Shim K. Cryptanalysis of Al-Riyami-Paterson's Authenticated Three Party Key Agreement Protocols. Available at http://eprint.iacr.org/2003/122.
[34] Nalla D. ID-Based Tripartite Key Agreement with Signature. Available at http://eprint.iacr.org/2003/144.
[35] Nalla D and Reddy K C. ID-Based Tripartite Authenticated Key Agreement Protocols from Pairings. Available at http://eprint.iacr.org/2003/004.
[36] Chen Z. Security Analysis on Nalla-Reddy's ID-based Tripartite Authenticated Key Agreement Protocol. Available at http://eprint.iacr.org/2003/103.
[37] Shim K. Cryptanalysis of ID-Based Tripartite Authenticated Key Agreement Protocol. Available at http://eprint.iacr.org/2003/115.
[38] Zhang F, Liu S and Kim K. ID-based One Round Authenticated Tripartite Key Agreement Protocol with Pairings. Available at http://eprint.iacr.org/2002/122.
[39] Hess F. Efficient Identity Based Signature Schemes Based on Pairings. In proceedings of SAC 2002, LNCS 2595, Springer-Verlag, 2002, pp. 310-324.
[40] Ingemarsson I, Tang D T, and Wong C K. A Conference Key Distribution System. In IEEE Transactions on Information Theory, 1982, Vol 28(5), pp. 714-720.
[41] Burmester M and Desmedt Y. A Secure and Efficient Conference Key Distribution System. In proceedings of Eurocrypt 1994,LNCS 950,Springer- Verlag,1995,pp.275-286.
[42]Steiner M,Tsudik G,Waidner M.Diffie-Hellman Key Distribution Extended to Group Communication.In proceedings of ACM CCS 1996,ACM Press,1996,pp.31-37.
[43]Becker K and Wille U.Communication Complexity of Group Key Distribution.In proceedings of ACM CCS 1998,ACM Press,1998,pp.1-6.
[44]Ateniese G,Steiner M,and Tsudik G.Authenticated Group Key Agreement and Friends.In proceedings of ACM CCS 1998[1],ACM Press,1998,pp.17-26.
[45]Ateniese G,Steiner M,and Tsudik G.New Multi-party Authenticated Services and Key Agreement Protocols.In Journal of Selected Areas in Communications IEEE,2000,18(4),pp.1-13.
[46]Steiner M,Tsudik G and Waidner M.Cliques:A New Approach to Group Key Agreement.In IEEE Conference on Distributed Computing Systems,May 1998,pp.380.
[47]Pereira O and Quisquater J J.A Security Analysis of the Cliques Protocol Suite.In Computer Security Fotmdations Workshop(CSFW 2001),IEEE Computer Society Press,2001,pp.73-81.
[48]Goldreich O.Secure Multi-party Computation,Working Draft,Version 1.3,June 24,2001.Available from http://www.wisdom.weizmann.ac.il/-oded/pp.html/.
[49]Abdalla M,Bresson E and Chevassut O,et al.Password-based Group Key Exchangein a Constant Number of Rounds.International Workshop on Practice and Theory in Public Key Cryptography(PKC 2006),New York City,USA,April 2006.
[50]柯召,孙琦.述论讲义(上册).北京:高等教育出版社,2002,pp.145.
[51]Davis R M.The Data Encryption Standard in Perspective.Computer Security and the Data Encryption Standard,National Bureau of Standards,Specal Publication.Feb 1978.
[52]NBS FIPS PUB 46.Data Encryption Standard.National Bureau of Standards,U.S.Department of Commerce,1977.
[53]NBA FIPS PUB 46-1.Data Encryption Standard.National Bureau of Standards,US.Department of Commerce,1988,Available at http://www.itl.nist.gov/fipspubs/fip46-2.htm
[54]Lai X and Massey J.A Proposal for a New Block Encryption Standard.In Proceeding of EUROCRYPT'90,Springer-Verlag,Berlin,1991,Available at http://www.springedink.com/index/J6L82X42B14C744E.pdf.
[55]Joan Danmen,Vincent Rijmen.AES Proposal:Rijndael.AES algorithm submission,September 3,1999,Available at http://www.nist.gov/aes.
[56]Joan Danmen,Vincent Rijmen.The AES Second Rond Comments of the Rjndael.AES Round 2 Public Comment,May 12,2000,Available at http://www.nist.gov/aes.
[57]Danmen J and Rijmen V.Answer to 'New Observations on Rijndael'.AES Forum Comment,August 11,2000,Available at http://www.east.kuleuven,ac.be/-rijmen/rijndael/.
[58]Rivest R L,Hellman M E,Anderson J C.and Lyons J W.Responses to NIST's proposal.Communications of the ACM,July 1992,35(7),pp.41-54.
[59]Robshaw M J B.Security of RC4.Technical Report TR-401,RSA Laboratories,July 1994.
[60]Schneier B.Applied Cryptography-Protocols,Algorithms,and Source Code in C.John Wiley & Sons,Inc.,1996.
[61]Rivest R L,Shamir A and Adleman L,A Method for Obtaining Digital Signatures and Public-key Cryptosystem.Comm.,ACM,Feb 1978,21(2),pp.120-126.
[62]RFC 1321.The MD5 Message-Digest Algorithm.Internet Request for Comments 1321,Rivest R L,April 1992(presented at Rump Session of CRYPTO'91),Available at http://www.faqs.org/rfcs/rfc1321.html.
[63]FIPS180.Secure Hash Standard.Federal Information Processing Standards Publication (FIPS PUB) 180,U.S.Department of Commerce/N.I.S.T.,National Technical Information Service,Springfield,Virginia,11 May,1993.
[64]FIPS 180-1.Secure Hash Standard.Federal Information Processing Standards Publication (FIPS PUB) 180-1,U.S.Department of Commerce/N.I.S.T.,National Technical Information Service,Springfield,Virginia,17 Apr.1993,Available at www.itl.nist.gov/fipspubs/fip 180-1.htm.
[65]Wenbo Mao著,王继林,伍前红等译,王育民,姜正涛审校.现代密码学理论与实践,北京:电子工业出版社,2004,pp.230.
[66]Elgamal T.A public-key cryptosystem and a signature scheme based on discrete logarithms.Advances in Cryptology-CRYPTO' 84 Proceedings,Springer-Verlag,1985,pp.10-18;also in IEEE Trans.On Information Theory,1985,31(4),pp.469-472.
[67]FIPS 186.Digital Signature Standard(DSS).Federal Information Processing Standards Publication(FIPS PUB) 185.U.S.Department of Commerce/N.I.S.T.,National Technical Information Service, Springfield, Virginia, 1994.
[68] National Institute of Standards and Technology, NIST FIPS PUB 186. Digital Signature Standard. U.S.Department of Commerce, May 1994. Available at http://www.itl.nist.gov/fipspubs/fip 186.htm
[69] Kravitz D W. Digital Signature Algorithm. U.S.Patent #5,231,668,27 July 1993.
[70] Shieh S P, Lin C T and Yang W B, et al. Digital multi-signature schemes for authenticating delegates in mobile code systems. IEEE Trans. Veh. Technol., 2000,49, pp. 1464-1473.
[71] Chien H Y, Jan J K and Tseng YM. Forgery attacks on multi-signature schemes for authenticating mobile code delegates. IEEE Trans. Veh. Technol., Nov. 2002, 51, pp. 1669-1671.
[72] Wu T C andHsu C L. Cryptanalysis of digital multi-signature schemes for or authenticating delegates gates in mobile code systems. IEEE Trans. ans. Veh. eh. Technol., Mar 2003, 52, pp.462-465.
[73] Hwang S J and Li E T. Cryptanalysis of Shieh-Lin-Yang-Sun signature scheme. IEEE Commun. Lett., Apr. 2003, 7, pp. 195-196.
[74] Chang C C and Chang Y F. Signing a digital signature without using one-way hash functions and message redundancy schemes. IEEE Commun. Lett., Aug. 2004, 8, pp.485-487.
[75] Chien H Y. Forgery Attacks on Digital Signature Schemes without using One-way Hash and Message Redundancy, IEEE Commun. Lett., May. 2006,10, pp.324-325.
[76] Boneh Dan and Boyen Xavier. Short Signatures Without Random Oracles, EUROCRYPT '04, Lecture Notes in Computer Science, Springer-Verlag, Berlin, 2004, pp.56-73.
[77] Kaliski B. Contribution to ANSI X9F1 and IEEE P1363 working group, June 1998.
[78] Bellare M and Rogaway P. Entity Authentication and Key Distribution. In proceedings of Crypto 1993, LNCS 773, Springer-Verlag, 1994, pp. 231-249.
[79] Harn L and Lin H Y. An Authenticated Key Agreement without Using One-Way Hash Functions. Proc. 8th Nat. Conf. Information Security, Taiwan, 1998, pp. 155-160.
[80] Harn L and Lin H Y. Authenticated Key Agreement without Using One-Way Hash Functions. Electron. Lett., 2001,37(10), pp. 629-630.
[81] Zhou H S, Fan L and Li J H. Remarks on Unknown Key-Share Attack on Authenticated Multiple-Key Agreement Protocol. Electron. Lett., 2003, 39(17), pp. 1248-1249.
[82] YEN S M and JOYE M. Improved Authenticated Multiple-Key Agreement Protocol. Electron. Lett., 1998,34(18), pp.1738-1739.
[83] Wu T S, He W H and HSU C L. Security of Authenticated Multiple-Key Agreement Protocols. Electron. Lett., 1999, 35 (5), pp.391-392.
[84] Hwang M S, Lin C W and Lee C C. Improved Yen-Joye's Authenticated Multiple-Key Agreement Protocol. Electron. Lett., 2002, 38(23), pp. 429-1431.
[85] Harn L, Hsin W J and Mehta M. Authenticated Diffie-Hellman Key Agreement Protocol Using a Single Cryptographic Assumption. IEE Proc. Commun., 2005, 152(4), pp. 404-410.
[86] Menezes A J, Qu M and Vanstone S A. Some Key Agreement Protocols Providing Implicit Authentication. 2nd Workshop Selected Areas in Cryptography, 1995
[87] Zhou L, Susilo W and Mu Y. Efficient ID-Based Authenticated Group Key Agreement from Bilinear Pairings. MSN 2006, LNCS 4325, Springer-Verlag, 2006, pp. 521-532.
[88] Bellare M, Pointcheval D and Rogaway P. Authenticated Key Exchange Secure against Dictionary Attacks. EUROCRYPT 2000, LNCS 1807, Springer-Verlag, 2000, pp. 139-154.
[89] Abdalla M and Pointcheval D. A Scalable Password-Based Group Key Exchange Protocol in the Standard Model. ASIACRYPT 2006, LNCS 4284, Springer-Verlag, 2006, pp. 332-347.
[90] Nalla D and Reddy K C. Identity Based Authenticated Group Key Agreement Protocol. In proceedings of Indocrypt 2002, LNCS 2551, Springer-Verlag, 2002, pp. 215-233.
[91] Bellare M and Rogaway P. Provably Secure Session Key Distribution: The Three-party Case. In proceedings of STOC 1995, ACM Press, 1995, pp. 57-66.
[92] Xie G. Cryptanalysis of Noel McCullagh and Paulo S. L. M. Barreto's Two-party Identity-Based Key Agreement. Available at http://eprint.iacr. org/2004/308.
[93] Choo K K R. Revisit of McCullagh-Barreto Two-Party ID-Based Authenticated Key Agreement Protocols. Available at http://eprint.iacr.org/204/343.
[94] Kwon J O, Jeong I R, Sakurai K, Lee D H. Efficient verifier-based password-authenticated key exchange in the three-party setting. Computer Standards & Interfaces, 2007, 29, 513-520.
[95]Burmester M and Desmedt Y.A Secure and Scalable Group Key Exchange System.In Information Processing Letters,2005,94(3),pp.137-143.
[96]Bresson E and Catalano D.Constant Round Authenticated Group Key Agreement via Distributed Computing.In proceedings of PKC 2004,LNCS 2947,Springer-Vedag,2004,pp.115-129.
[97]Zhou L,Susilo W and Mu Y.Efficient ID-Based Authenticated Group Key Agreement from Bilinear Pairings.MSN 2006,LNCS 4325,Springer-Verlag,2006.521-532.
[98]Bresson E,Chevassut O,Essiari A and Pointcheval D.Mutual Authentication and Group Key Agreement for Low-power Mobile Devices.Computer Communication,2004,27(17),pp.1730-1737.Full version available at http://www.di.ens.fr/bresson.
[99]Nam J,Kim S and Won D.Attacks on Bresson-Chevassut-Essiari-Pointcheval's Group Key Agreement Scheme for Low-Power Mobile Devices.Available at http://eprint.iacr.org/2004/251.
[100]Nam J,Kim S and Won D.Provably-Secure and Communication-Efficient Scheme for Dynamic Group Key Exchange.Available at http://eprint.iacr.org/2004/115.
[101]Abdalla M,Bresson E and Chevassut O et al.Strong Password-Based Authentication in TLS.International Journal of Security and Networks,2007,2(3),pp.284-296.
[102]刁俊峰,温巧燕.软件安全中的若干关键技术研究[D].北京邮电大学,2007,pp.41-55.
[103]Wu L f,Zhang Y Q and Wang F J.A New Provably Secure Authentication and Key Agreement Protocol for SIP Using ECC.Available at http://eprint.iacr.org/2007/219.
[104]Salsano S,Veltri L and Papalilo D.SIP security issues:the SIP authentication procedure and its processing load.IEEE Network,2002,16(6),pp.38-44.
[105]RFC3261.Available at www.faqs.org/rfcs/rfc3261.html.
[106]Canetti R and Krawczyk H.Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels.Proceedings of Eurocrpt'01,LNCS 2045,Springer-Verlag,Berlin,2001,pp.453-474.
[107]RFC3310.Available at http://www.faqs.org/rfcs/rfc3310.html.
[108]Microsoft.Remote Desktop Protocol(RDP) Features and Performance White Paper.Available at www.microsoft.com,June 27,2000.
[109]ITU-T.Multipoint Communication Service-Service Definition.International Telecommunication Union,Available at http://www.itu.int/.02/98.
[110]Bresson E,Chevassut O,and Pointcheval D.Cryptography for Secure Dynamic Group Communication.U.S.Patent Application 20050157874,November 30,2004.http://www.lbl.gov/Tech-Transfer/techs/lbnl1973.html.