群密钥协商协议的分析与设计
|
摘要
密钥协商协议是密码学中一个重要的基本组成部分,它是指两方或多方间在不安全的公共数据网上通过一定的方法产生一个共享的会话密钥,以实现相互间的安全通信。因此,安全的密钥协商协议是构建安全、复杂的高层协议或系统的基础。
自从两方认证密钥协商协议MQV和HMQV被建议为相关标准的草案以来,而认证群密钥协商协议(AGKA:Authentiacated Group Key Agreement)方面的标准仍在进一步讨论中,因此,AGKA协议已成为国内外同行研究的热点。
本论文首先介绍了群密钥协商协议的应用背景,接着对主要的一些密钥协商协议安全模型进行了分析和比较。根据认证密钥协商协议认证方式的不同,一般可分为三类:1)基于传统公钥密码体制(PKI/CA)的群密钥协商协议;2)基于身份(ID-Based)的群密钥协商协议;3)基于口令(Password)的群密钥协商协议。最后,对上述三类协议从两个方面进行研究,一是对已有的AGKA协议进行分析;另一个设计新的AGKA协议。具体创新工作如下:
在基于传统公钥密码体制(PKI/CA)的群密钥协商协议方面,由于抵抗临时秘密信息泄露攻击是AGKA协议的一个重要的安全属性,旨在AGKA协议的某次运行中,如果某用户的临时秘密信息(如消息对(x,X=g~x)中用于计算会话密钥的Diffie-Hellman指数x)被泄露,则攻击者不但可以计算出本次会话密钥,而且只要在用户的签名私钥有效期内,攻击者就可能利用该临时秘密信息以及与之相应的签名假冒该用户与其他用户运行AGKA协议.为克服现有的认证群密钥协商(AGKA)协议的不足,在Krawczyk新提出的双指数挑战-应答数字签名(DCR签名)和Burmester等提出的群密钥协商(GKA)协议(BD方案)的基础上,提出了具有常数轮的高效AGKA协议.新协议除具有现有AGKA协议的安全性外,还具有抗临时秘密指数泄露攻击能力,效率也有所提高。在分析现有的基于传统公钥密码体制(PKI/CA)的AGKA协议的安全性、效率中,指出了Abdalla等在TCC2007中提出的群密钥协商协议编译器不能抵抗假冒攻击,进行了相应的改进。
在基于身份(ID)的群密钥协商协议方面,现有的大部分基于公钥的AGKA协议可分两类:第一类,认证部分是基于PKI/CA,会话密钥协商部分主要用模指数(或点乘)实现;第二类,认证部分是基于身份(ID)的公钥体制,会话密钥协商部分主要是用Weil对或Tate对实现。而第一类AGKA协议存在一个较显著问题一公钥管理问题;第二类AGKA协议虽然有效地解决了公钥管理问题,但由于其会话密钥协商部分主要是用双线性对(即Weil对或Tate对)实现,故相对前者其计算量较大,效率较低。针对这些不足,设计了一个静态的AGKA协议,该协议的认证部分是基于身份(ID)的公钥体制,会话密钥协商部分的运算主要用模指数(或点乘)实现;并在相应假设下证明了该AGKA协议的安全性。指出了Choi等在PKC2004中的AGKA协议不能抗外部攻击,并给出了相应的改进方案。指出了刘等在ChinaCrypt2007中提出的基于身份的多安全群组群密钥协商协议攻击者能使得群中用户在运行完该协议后所产生的会话密钥不一致,而且不会被群中成员发现;进一步指出只要攻击者能获得相应协议复本,便能计算出会话密钥:并在此基础上,给出了相应的改进方案。与基于PKI/CA、基于身份的密钥协商协议需要参与者验证相关证书和存储高品质的秘密钥(主密钥)相比,基于口令的三方密钥协商协议仅需要参与者记住一个共享的口令,就能构造出较高品质的会话密钥。该类协议的实现成本较低,更具有应用前景。我们前后分别提出了两个用pairing实现的基于口令的三方密钥协商协议:3-PAKE-1和3-PAKE-2,并在标准模型下对其安全性进行了证明,效率也比相关协议有一定提高。该协议比较适合应用于那些不支持PKI/CA或用户不方便保存长期私钥的情况。
As an important research domain of cryptography, key agreement protocols allow two or more parties to exchange information over an adversarially controlled insecure network and agree upon a common session key which could ensure later secure communication among the parties. Thus, secure key agreement protocols serve as basic building block for constructing secure, complex and high-level protocols.
Since the MQV and HMQV protocols are possibly the most efficient of all known two parties Diffie-Hellman protocols that use public-key authentication, and they have been widely standardized, the authenticated group key agreement (AGKA) protocols standards are under discussion. Therefore, significant research efforts are currently devoted to the exploration of AGKA protocols.
The thesis firstly provides a number of examples of widely deployed group applications, then we describe the state-of-the-art of the theoretical research on security requirements and currently available security models for group key agreement protocols. According to the authenticated approach, we classify the group key agreement protocols into three categories: certificated-based, ID-based and password-based. This study aims to analyze and improve current AGKA protocols, and to design some new provable secure AGKA protocols. The contributions are summarized as follows:
As regards to certificated-based AGKA protocols, their resistance to the disclosure of the secret exponent x corresponding to an ephemeral (session-specific) DH value X = g~x is an important security consideration. This is a prime concern for any Diffie-Hellman protocols since many applications will boost protocol performance by pre-computing ephemeral pairs (x,X = g~x) for later use in the protocol (this may apply to low-power devices as well as to high-volume servers). In this case, however, these stored pairs are more vulnerable to leakage than long-term static secrets (the latter may be stored in a hardware-protected area while the ephemeral pairs will be typically stored on disk and hence more available to a temporary break or to a malicious user of the system). To overcome the weakness of the existing common AGKA protocols, a novel constant-round AGKA protocol is proposed that combines the dual exponential challenge-response (DCR) signature and BD structure, and can resist the leakage of ephemeral secret DH exponent attack while retaining the security of relative AGKA protocols, and is more efficient in terms of both communication and computation. An impersonation attack against an existing protocol compiler reveals that two malicious users can impersonate an entity to agree upon some session keys in a new group if they have previous commitment transcripts of the entity. In view of this, an improvement of the protocol is proposed.
In terms of the ID-based AGKA protocols, according to various authentication by using asymmetric techniques, the current AGKA protocols are sorted into certificated-based ones that are mainly implemented by modular exponentiation (or dot multiplication), and ID-based ones by pairing. Compared with Certificated-based AGKA, ID-based authenticated AGKA simplifies the key agreement (management) procedures, whereas it is more time-consuming than PKI/CA-based AGKA protocol. Aiming to overcome the weaknesses of these two kinds of AGKA protocols, a novel ID-based AGKA protocol is proposed that is implemented by dot multiplication. More detailed security analysis of the existing ED-based AGKA protocol is given and it is found that the ID-based AGKA protocol doesn't resist outsider attack, that is, an adversary can make inconsistent a group session key, which can not be detected by the users in the group however. Thus we achieve an obvious improvement of the AGKA protocol. We analyze security of an existing ID-based AGKA protocol in different security domains, and show that an adversary can make group members share different keys, while deceiving other group members into believing that they have shared a common session key; What's more, an adversary can compute the session key if the adversary has the transcripts of this ID-based AGKA protocol. This is a further improvement of the protocol.
Compared with the ID-based protocols, PKI/CA-based protocols, the password-based protocols are just required to remember a low entropy password shared between the participants, and are therefore suitable for implementation in many scenarios, especially those where no device is capable of securely storing high-entropy long-term secret key. Thus, we design two password-based tripartite key agreement protocols (3-PAKE-1 and 3-PAKE-2) from weil pairing respectively. The security of the two protocols is provable in the standard model. The 3-PAKE-l and 3-PAKE-2 are suitable for the user who has no place to store the high-entropy long-term secret key or has not support from public key infrastructure.
自从两方认证密钥协商协议MQV和HMQV被建议为相关标准的草案以来,而认证群密钥协商协议(AGKA:Authentiacated Group Key Agreement)方面的标准仍在进一步讨论中,因此,AGKA协议已成为国内外同行研究的热点。
本论文首先介绍了群密钥协商协议的应用背景,接着对主要的一些密钥协商协议安全模型进行了分析和比较。根据认证密钥协商协议认证方式的不同,一般可分为三类:1)基于传统公钥密码体制(PKI/CA)的群密钥协商协议;2)基于身份(ID-Based)的群密钥协商协议;3)基于口令(Password)的群密钥协商协议。最后,对上述三类协议从两个方面进行研究,一是对已有的AGKA协议进行分析;另一个设计新的AGKA协议。具体创新工作如下:
在基于传统公钥密码体制(PKI/CA)的群密钥协商协议方面,由于抵抗临时秘密信息泄露攻击是AGKA协议的一个重要的安全属性,旨在AGKA协议的某次运行中,如果某用户的临时秘密信息(如消息对(x,X=g~x)中用于计算会话密钥的Diffie-Hellman指数x)被泄露,则攻击者不但可以计算出本次会话密钥,而且只要在用户的签名私钥有效期内,攻击者就可能利用该临时秘密信息以及与之相应的签名假冒该用户与其他用户运行AGKA协议.为克服现有的认证群密钥协商(AGKA)协议的不足,在Krawczyk新提出的双指数挑战-应答数字签名(DCR签名)和Burmester等提出的群密钥协商(GKA)协议(BD方案)的基础上,提出了具有常数轮的高效AGKA协议.新协议除具有现有AGKA协议的安全性外,还具有抗临时秘密指数泄露攻击能力,效率也有所提高。在分析现有的基于传统公钥密码体制(PKI/CA)的AGKA协议的安全性、效率中,指出了Abdalla等在TCC2007中提出的群密钥协商协议编译器不能抵抗假冒攻击,进行了相应的改进。
在基于身份(ID)的群密钥协商协议方面,现有的大部分基于公钥的AGKA协议可分两类:第一类,认证部分是基于PKI/CA,会话密钥协商部分主要用模指数(或点乘)实现;第二类,认证部分是基于身份(ID)的公钥体制,会话密钥协商部分主要是用Weil对或Tate对实现。而第一类AGKA协议存在一个较显著问题一公钥管理问题;第二类AGKA协议虽然有效地解决了公钥管理问题,但由于其会话密钥协商部分主要是用双线性对(即Weil对或Tate对)实现,故相对前者其计算量较大,效率较低。针对这些不足,设计了一个静态的AGKA协议,该协议的认证部分是基于身份(ID)的公钥体制,会话密钥协商部分的运算主要用模指数(或点乘)实现;并在相应假设下证明了该AGKA协议的安全性。指出了Choi等在PKC2004中的AGKA协议不能抗外部攻击,并给出了相应的改进方案。指出了刘等在ChinaCrypt2007中提出的基于身份的多安全群组群密钥协商协议攻击者能使得群中用户在运行完该协议后所产生的会话密钥不一致,而且不会被群中成员发现;进一步指出只要攻击者能获得相应协议复本,便能计算出会话密钥:并在此基础上,给出了相应的改进方案。与基于PKI/CA、基于身份的密钥协商协议需要参与者验证相关证书和存储高品质的秘密钥(主密钥)相比,基于口令的三方密钥协商协议仅需要参与者记住一个共享的口令,就能构造出较高品质的会话密钥。该类协议的实现成本较低,更具有应用前景。我们前后分别提出了两个用pairing实现的基于口令的三方密钥协商协议:3-PAKE-1和3-PAKE-2,并在标准模型下对其安全性进行了证明,效率也比相关协议有一定提高。该协议比较适合应用于那些不支持PKI/CA或用户不方便保存长期私钥的情况。
As an important research domain of cryptography, key agreement protocols allow two or more parties to exchange information over an adversarially controlled insecure network and agree upon a common session key which could ensure later secure communication among the parties. Thus, secure key agreement protocols serve as basic building block for constructing secure, complex and high-level protocols.
Since the MQV and HMQV protocols are possibly the most efficient of all known two parties Diffie-Hellman protocols that use public-key authentication, and they have been widely standardized, the authenticated group key agreement (AGKA) protocols standards are under discussion. Therefore, significant research efforts are currently devoted to the exploration of AGKA protocols.
The thesis firstly provides a number of examples of widely deployed group applications, then we describe the state-of-the-art of the theoretical research on security requirements and currently available security models for group key agreement protocols. According to the authenticated approach, we classify the group key agreement protocols into three categories: certificated-based, ID-based and password-based. This study aims to analyze and improve current AGKA protocols, and to design some new provable secure AGKA protocols. The contributions are summarized as follows:
As regards to certificated-based AGKA protocols, their resistance to the disclosure of the secret exponent x corresponding to an ephemeral (session-specific) DH value X = g~x is an important security consideration. This is a prime concern for any Diffie-Hellman protocols since many applications will boost protocol performance by pre-computing ephemeral pairs (x,X = g~x) for later use in the protocol (this may apply to low-power devices as well as to high-volume servers). In this case, however, these stored pairs are more vulnerable to leakage than long-term static secrets (the latter may be stored in a hardware-protected area while the ephemeral pairs will be typically stored on disk and hence more available to a temporary break or to a malicious user of the system). To overcome the weakness of the existing common AGKA protocols, a novel constant-round AGKA protocol is proposed that combines the dual exponential challenge-response (DCR) signature and BD structure, and can resist the leakage of ephemeral secret DH exponent attack while retaining the security of relative AGKA protocols, and is more efficient in terms of both communication and computation. An impersonation attack against an existing protocol compiler reveals that two malicious users can impersonate an entity to agree upon some session keys in a new group if they have previous commitment transcripts of the entity. In view of this, an improvement of the protocol is proposed.
In terms of the ID-based AGKA protocols, according to various authentication by using asymmetric techniques, the current AGKA protocols are sorted into certificated-based ones that are mainly implemented by modular exponentiation (or dot multiplication), and ID-based ones by pairing. Compared with Certificated-based AGKA, ID-based authenticated AGKA simplifies the key agreement (management) procedures, whereas it is more time-consuming than PKI/CA-based AGKA protocol. Aiming to overcome the weaknesses of these two kinds of AGKA protocols, a novel ID-based AGKA protocol is proposed that is implemented by dot multiplication. More detailed security analysis of the existing ED-based AGKA protocol is given and it is found that the ID-based AGKA protocol doesn't resist outsider attack, that is, an adversary can make inconsistent a group session key, which can not be detected by the users in the group however. Thus we achieve an obvious improvement of the AGKA protocol. We analyze security of an existing ID-based AGKA protocol in different security domains, and show that an adversary can make group members share different keys, while deceiving other group members into believing that they have shared a common session key; What's more, an adversary can compute the session key if the adversary has the transcripts of this ID-based AGKA protocol. This is a further improvement of the protocol.
Compared with the ID-based protocols, PKI/CA-based protocols, the password-based protocols are just required to remember a low entropy password shared between the participants, and are therefore suitable for implementation in many scenarios, especially those where no device is capable of securely storing high-entropy long-term secret key. Thus, we design two password-based tripartite key agreement protocols (3-PAKE-1 and 3-PAKE-2) from weil pairing respectively. The security of the two protocols is provable in the standard model. The 3-PAKE-l and 3-PAKE-2 are suitable for the user who has no place to store the high-entropy long-term secret key or has not support from public key infrastructure.
引文
[1]A.Menezes,M.Qu,and S.Vanstone,"Some new key agreement protocols providing mutual implicit authentication"[C].Second Workshop on Selected Areas in Cryptography(SAC 95),1995.
[2]Xukai Zou,Bypav Ramamurthy and Spyros S.Magliveras,"Secure Group Communication over Data Networks"[M].Berlin,Heidelberg:Springer-Verlag,2005.
[3]Paul Garreu,吴世忠,宋晓龙,郭涛等译.密码学导引[M].北京:机械工业出版社,2003.
[4]A.Menezes,P.van Oorschot,and S.Vanstone.Handbook of Applied Cryptography[M].CRC Press,October 1996.
[5]Wenbo Mao,王继林,伍前红等译,王育民,姜正涛审校.现代密码学理论与实践[M].北京:电子工业出版社,2004.
[6]O.Pereira and J.-J.Quisquater.Some Attacks upon Authenticated Group Key Agreement Protocols[J].Journal of Computer Security,2003,11(4):555-580.
[7]冯登国,可证明安全性理论与方法研究[J].软件学报,2005,16(10)1743-1756.
[8]Bellare M.Practice-Oriented Provable-Security[C]// In:Damgard I,ed.Modern Cryptology in Theory and Practice.LNCS 1561,Berlin,Heidelberg:Springer-Vedag,1999.1-15.
[9]Goldreich O.Foundations of Cryptography[M].Cambridge:Cambridge University Press,2001.
[10]Needham R,Schroeder M.Using Encryption for Authentication in Large Networks of Computers[J].Communications of the ACM,1978,21(12):993-999.
[11]Sacco G.Timestamps in Key Distribution Protocols[J].Communications of the ACM,1981,24(8):523-536.
[12]Burrows M,Abadi M,Needham R.A Logic for Authentication[J].ACM Trans.on Computer Systems,1990,8(1):18-36.
[13]Bellare M,Rogaway P.Random Oracles Are Practical:A Paradigm For Designing Efficient Protocols[C]// In:Proc.of the 1st ACM Conf.on Computer and Communications Security.New York:ACM Press,1993.62-67.http://doi.acm.org/10.1145/168588.168596
[14]C.E.Shannon.Communication Theory of Secrecy Systems[J].The Bell Systems Technical Journal,1949,28(4):656-715.
[15] E. N. Gilbert, F. J. MacWilliams, and N. J. A. Sloane. Codes Which Detect Deception[J]. The Bell Systems Technical Journal, 1974, 53(3): 405-424
[16] G. J. Simmons. A Survey of Information Authentication. Contemporary Cryptology, The Science of Information Integrity, 1974,379-419.
[17] M. N. Wegman and J. L. Carter. New Hash Functions and Their Use in Authenticationand Set Equality[J]. Journal of Computer and System Sciences, 1981,22(8): 265-279.
[18] R. Ahlswede and I. Csiszar. Common Randomness in Information Theory and Cryptography - i: Secret Sharing[J]. IEEE Transactions on Information Theory, 1993,39(4): 1121-1132.
[19] I. Csiszar and J. Korner. Broadcast Channels with Confidential Messages[J].IEEE Transactions on Information Theory, 1978,24(3):339-348.
[20] U. Maurer. Secret Key Agreement by Public Discussion[J]. IEEE Transaction on Information Theory, 1993, 39(3):733-742.
[21] U. Maurer. Information-Theoretically Secure Secret-Key Agreement by NOT Authenticated Public Discussion[C] // In Advances in Cryptology —EUROCRYPT '97, LNCS 1233, Springer-Verlag, 1997: 209-225..
[22] U. Maurer and S.Wolf. Towards Characterizing when Information-Theoretic Key Agreement is Possible[C] // In Advances in Cryptology-ASIACRYPT '96, LNCS 1163 Springer-Verlag, 1996: 196-209.
[23] A. D. Wyner. The Wiretap Channel[J]. The Bell Systems Technical Journal,1975, 54(8): 1355-1387.
[24] T. Holenstein. Strengthening Key Agreement Using Hard-Core Sets[D].Doctoral Dissertation, ETH Zurich, 2006.
[25] U. Maurer and S. Wolf. Secret Key Agreement Over a Non-Authenticated Channel —Parts i, ii, iii[J]. IEEE Transactions on Information Theory, 2003,49(4):822-851.
[26] R. Renner, N. Gisin, and B. Kraus. An Information-Theoretic Security Proof for QKD Protocols[J]. Physical Review A, 72(012332), 2005.http://arxiv.org/abs/quant-ph/0502064. 41
[27] R. Renner and S.Wolf. New Bounds in Secret-Key Agreement: The Gap between Formation and Secrecy Extraction[C] // In Advances in Cryptology— EUROCRYPT 2003, LNCS 2656, Springer-Verlag, 2003: 562-577.
[28] S. Wolf. Strong Security against Active Attacks in Information-Theoretic Secret-Key Agreement[C] // In Advances in Cryptology —ASIACRYPT '98, LNCS 1514, Springer-Verlag, 1998:405-419.
[29] S.Wolf. Information-Theoretically and Computationally Secure Key Agreement in Cryptography[D]. Doctoral Dissertation, ETH Zurich, 1999.
[30] V. Shoup. Sequences of Games: A Tool for Taming Complexity in Security Proofs[R]. Cryptology ePrint Archive, Report 2004/332, 2004.http://eprint.iacr.org/2004/332.pdf.
[31] R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor, and B. Pinkas.Multicast Security: A Taxonomy and Some Efficient Constructions[C] // In Proceedings of IEEE INFOCOM '99, IEEE Computer Society, 1999:708-716.
[32] R. Canetti. Universally Composable Security: A New Paradigm for Cryptographic Protocols[C] // In Proceedings of 42nd Annual Symposium on Foundations of Computer Science (FOCS 2001), IEEE CS, 2001:136-145.
[33] R. Canetti, S. Halevi, J. Katz, Y. Lindell, and P. D. MacKenzie. Universally Composable Password-Based Key Exchange[C] // In Advances in Cryptology - EUROCRYPT'05, LNCS 3494, Springer-Verlag, 2005:404-421.
[34] R. Canetti and J. Herzog. Universally Composable Symbolic Analysis of Mutual Authenticationand Key-Exchange Protocols[C] // In 3rd Theory of Cryptography Conference (TCC'06), LNCS 3876, Springer-Verlag, 2006:380-403.
[35] R. Canetti and H. Krawczyk. Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels[C] // In Advances in Cryptology -EUROCRYPT'01, LNCS 2045, Springer-Verlag, 2001: 453-474.
[36] R. Canetti and H. Krawczyk. Security Analysis of IKE's Signature-Based Key-Exchange Protocol[C] // In Advances in Cryptology - CRYPTO'02,LNCS 2442, Springer-Verlag, 2002: 143-161.
[37] J. Katz and J. S. Shin. Modeling Insider Attacks on Group Key-Exchange Protocols[C] // In Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS'05), ACM Press, 2005:180-189.
[38] B. Pfitzmann and M.Waidner. Composition and Integrity Preservation of Secure Reactive Systems[C] // In ACM Conference on Computer and Communications Security (CCS'00), ACM Press, 2000: 245-254.
[39] V. Shoup. On Formal Models for Secure Key Exchange (Version 4)[R].Technical Report RZ 3120, IBM Research, November 1999. Also available at http://shoup.net/.
[40] D. Dolev and A. C.-C. Yao. On the Security of Public Key Protocols[J].IEEE Transactions on Information Theory, 1983, 29(2): 198-207.
[41] M. Abadi and A. D. Gordon. A Calculus for Cryptographic Protocols: The Spi Calculus[C] // In ACM Conference on Computer and Communications Security (CCS'97), ACM Press, 1997: 36-47.
[42]M.Burrows,M.Abadi,and R.Needham.A Logic of Authentication[R].Technical Report 39,DEC Systems Research Center,1989.http://gatekeeper.dec.com/pub/DEC/SRC/research-reports/abstracts/src-rr-039.html.
[43]F.Fabrega,J.Herzog,and J.Guttman.Strand Spaces:Why Is a Security Protocol Correct?[C]//In IEEE Symposium on Security and Privacy 1998,IEEE Press,1998:160-171.
[44]R.A.Kemmerer,C.Meadows,and J.K.Millen.Three Systems for Cryptographic Protocol Analysis[J].Jorunal of Cryptology,1994,7(2):79-130.
[45]C.Meadows.Formal Verification of Cryptographic Protocols:A Survey[C]// In Advances in Cryptology - ASIACRYPT'94,LNCS 917,Springer-Vedag,1994:135-150.
[46]W.Diffie,P.C.van Oorschot,and M.J.Wiener.Authentication and Authenticated Key Exchanges[J].Designs,Codes and Cryptography,1992,2(2):107-125.
[47]W.Diffie and M.E.Hellman.New Directions in Cryptography[J].IEEE Transactions on Information Theory,1976,IT-22(6):644-654.
[48]M.Burmester and Y.Desmedt.A Secure and Efficient Conference Key Distribution System[C]//In Advances in Cryptology - EUROCRYPT'94,LNCS 950,Springer-Verlag,1994:275-286.
[49]M.Burmester,Y.Desmedt.A Secure and Scalable Group Key Exchange System.In Information Processing Letters,2005,94(3):137-143.
[50]S.Goldwasser and S.Micali.Probabilistic Encryption[J].Journal of Computer and System Sciences,1984,28(2):270-299.
[51]M.Burmester.On the Risk of Opening Distributed Keys[C]//In Advances in Cryptology- CRYPTO'94,LNCS 839 Springer-Verlag,1994:308-317.
[52]Y.Yacobi and Z.Shmuely.On Key Distribution Systems[C]//In Advances in Cryptology- CRYPTO'89,LNCS 435,Springer-Verlag,1990:344-355.
[53]M.Steiner,and G.Tsudik.New Multi-party Authenticated Services and Key Agreement Protocols.In Journal of Selected Areas in Communications,2000,18(4):1-13.
[54]M.Bellare and P.Rogaway.Entity Authentication and Key Distribution[C]// In Advances in Cryptology-CRYPTO'93,LNCS 773,Springer-Verlag,1993:232-249.
[55]卿斯汉.安全协议20年研究进展,软件学报,2003,14(10):1740-1752.
[56]S.Blake-Wilson,D.Johnson,and A.Menezes.Key Agreement Protocols and Their Security Analysis[C]// In Proceedings of the 6th IMA International Conference on Cryptography and Coding, LNCS 1355,Springer-Verlag, 1997: 30-45.
[57] C. Boyd and A. Mathuria. Protocols for Authentication and Key Establishment. Springer, 2003.
[58] M. Bellare and P. Rogaway. Provably Secure Session Key Distribution: The Three Party Case[C] // In Proceedings of the 27th Annual ACM Symposium on Theory of Computing (STOC'95), ACM Press, 1995:57-66.
[59] M. Bellare, R. Canetti, and H. Krawczyk. A Modular Approach to the Design and Analysis of Authentication and Key Exchange Protocols (Extended Abstract) [C] // In Proceedings of the Thirtieth Annual ACM Symposium on the Theory of Computing (STOC'98), ACM Press, 1998:419-428.
[60] S. Micali, P. Rogaway. Secure Computation[C] // In: Feigenbaum J, ed.Proc. of the Advances in Cryptology—Crypto'91. LNCS 576, Berlin,Heidelberg: Springer-Verlag, 1991: 392-404.
[61] H.Krawczyk, "SIGMA: The 'SIGn-and-Mac' Approach to Authenticated Diffie- Hellman and Its use in the IKE Protocols" [C] // In Advances in Cryptology- CRYPTO 2003, LNCS 2729,Springer-Verlag,2003:400-425.
[62] Tin.Y.S.T., Boyd.C, Nieto.J.G., Provably Secure Key Exchnage: An Engineering Approach[C] // Australasian Inofmration Security Work shop2003 (AISW2003), 2003: 97-104.
[63] R. Canetti and H.Krawczyk. Universally Composbale Notions of Key Exchange and Secure Chnanels[C] // Advnaces in Cryptology-EUROCRYPT2002, LNCS 2332, Springer-verlag, 2002: 337-351.
[64] Meadows C. Formal Verification of Cyptographic Portocols: A survey[C] //In: Advnaces in Cryptology Asiacrypt'96 Proceedings. LNCS 1163,Springer-Verlag, 1996: 135-150.
[65] E.Bresson, O.Chevassut, D.Pointcheval. New Security Results on Encrypted Key Exchnage[C] // The 7~(th) International Workshop on Theory and Practice in Public Key Cryptography-PKC2004, LNCS 2947, Springer-Verlag, 2004:145-158.
[66] W.Aiello, S.M.Bellovin, M.Blaze. Efficient, DoS-Resistant, Secure Key Exchange for Internet Protocols[C] // Proceedings of the 9~(th) ACM conference on Computer and communications security, ACM press, 2002:45-58.
[67] K.K. R Choo, Y.Hitchcock. Security Requirement for Key Establishment Proof Models: Revisiting Bellare-Rogaway and Jeong-Kata-Lee Protocols[C]// Proceedings of the 10~(th) Australasian conference on information security and privacy-ACISP2005. Springer-Verlag, 2005.
[68]M.N.Eddie."Security Models and Proofs for Key Establishment Protocols"[R].A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Master of Mathematics in Combinatorics and Optimization,Waterloo,Ontario,Canada,2005.
[69]Y.Hitchcock,C.Boyd,and J.M.G.Nieto,"Tripartite Key Exchange in the Canetti-Krawczyk Proof Model"[C]//INDOCRYPT 2004,LNCS 3348,Springer- Verlag,2004:17-32.
[70]李兴华,马建峰,文相在.基于身份密码系统下Canetti-Krawczyk模型的安全扩展[J].中国科学E辑,信息科学,2004,34(10):1185-1192.
[71]E.Bresson,O.Chevassut,D.Pointcheval,and J.-J.Quisquater.Provably Authenticated Group Diffie-Hellman Key Exchange[C]//In Proceedings of the 8th ACM conference on Computer and Communications Security (CCS'01),ACM Press,2001:255-264.
[72]M.Roseman and S.Greenberg.GROUPKIT:A Groupware Toolkit for Building Real-Time Conferencing Applications[C]//In Proceedings of the Conference on Computer Supported Cooperative Work(CSCW'92),ACM Press,1992:43-50.
[73]E.Bresson,O.Chevassut,and D.Pointcheval.Provably Authenticated Group Diffie-Hellman Key Exchange The Dynamic Case[C]// In Advances in Cryptology- ASIACRYPT'01,LNCS 2248,Springer- Verlag,2004:290-390.
[74]E.Bresson,O.Chevassut,and D.Pointcheval.Dynamic Group Diffie-Hellman Key Exchange under Standard Assumptions[C]// In Advances in Cryptology - EUROCRYPT'02,LNCS 2332,Springer- Verlag,2002:321-336.
[75]J.Katz and M.Yung.Scalable Protocols for Authenticated Group Key Exchange[C]// In Advances in Cryptology - CRYPTO'03,LNCS 2729,Springer- Verlag,2003:110-125.
[76]I.Ingemarsson,D.T.Tang,and C.K.Wong.A Conference Key Distribution System[J].In IEEE Transactions on Information Theory,1982,28(5):714-720.
[77]M.Steiner,G.Tsudik,M.Waidner.Diffie-Hellman Key Distribution Extended to Group Communication[C]//In proceedings of ACM CCS 1996,ACM Press,1996:31-37.
[78]M.Steiner,G.Tsudik and M.Waidner.Cliques:A New Approach to Group Key Agreement[C]// In IEEE Conference on Distributed Computing Systems,IEEE Press,1998:380-391.
[79]G.Ateniese,M.Steiner,and G.Tsudik.Authenticated Group Key Agreement and Friends[C]//In proceedings of ACM CCS' 1998,ACM Press,1998:17-26.
[80]G.Ateniese,M.Steiner,and G.Tsudik.New Multi-party Authenticated Services and Key Agreement Protocols[J].In Journal of Selected Areas in Communications,IEEE,2000,18(4):1-13.
[81]Y.Kim,A.Perrig,and G.Tsudik.Communication-efficient Group Key Agreement[C]//In Proc.17th IFIP Int.Information Security Conf.(SEC'01),2001:229-244.
[82]Y.Kim,A.Perrig,and G.Tsudik.Tree-based Group Key Agreement[J].ACM Trans.Inf.Syst.Security,ACM Press,2004,7(1):60-96.
[83]Mike.Burmester,Y.Desmedt.A Secure and Scalable Group Key Exchange System[J].In Information Processing Letters,2005,94(3):137-143
[84]H.J.Kim,S.M.Lee and D.H.Lee.Constant-Round Authenticated Group Key Exchange for Dynamic Groups[C]//In proceedings of Asiacrypt 2004,LNCS 3329,Sringer-Verlag,2004:245-259.
[85]R.Dutta,R.Barua.Constant Round Dynamic Group Key Agreement[C]//In proceedings of ISC 2005,LNCS 4521,Springer-Verlag,2005,Also available at http://eprint.iacr.grg/2005/221.
[86]R.Canetti and H.Krawczyk.Universally Composable Notions of Key Exchange and Secure Channels[C]//Eurocrypt 2002.Full version available at http://eprint.iacr.org/2002/059.
[87]Emmanuel Bresson and Mark Manulis.Extended Definitions of AKE- and MA-Security for Group Key Exchange Protocols.Cryptology ePrint Archive,Reoort 2006/385,2006.
[88]丁勇,田海博,王育民.基于DLE协议的可认证群密钥协商协议-EAGKA[J].西安电子科技大学学报(自然科学版).2004,31(6):915-918.
[89]H.Krawczyk.HMQV:A High-Performance Secure Diffie-Hellman Protocol[C]//Advances in Cryptology-CRYPTO '05,LNCS 3621,Berlin,Heidelberg:Springer-Verlag,2005:546-566.
[90]郑世慧,王少辉,张国艳.一个动态的安全有效的群密钥协商协议[J].山东大学学报(理学版).2006,41(2):89-93.
[91]K.Y.Choi,J.Y.Hwang,D.H.Lee.Efficient ID-Based Group Key Agreement With Bilinear Maps[C]//7th International Workshop on Practice and Theory in Public Key Cryptography,PKC 2004,LNCS 2947,Springer-Verlag,Berlin/New York,2004:130-144.
[92]Michel Abdalla,Emmanuel Bresson,Olivier Chevassut and David Pointcheval,Password-Based Group Key Exchange in a Constant Number of Rounds[C]//Public Key Cryptography-PKC 2006,Moti Yung,Yevgeniy Dodis,Aggelos Kiayias,and Tal Malkin(Eds.),LNCS 3958,Springer-Vedag,2006:427-442.
[93]Michel Abdalla,David Pointcheval.A Scalable Password-Based Group Key Exchange Protocol in the Standard Model[C]//In Advances in Cryptology- Proceedings of ASIACRYPT '06 (december 2 - 6, 2006, Shanghai, China) X.Lai and K. Chen Eds. LNCS 4284, Springer-Verlag, 2006: 332-347.
[94] A. Mayer, M. Yung. Secure Protocol Transformation via "Expansion": From Two Party To Groups [C]// Proc. of ACM Conf. on. Computer and Communications Security (CCS'99), ACM Press, 1999: 83-92.
[95] J. Y. Hwang, S. M. Lee. D. H. Lee. Scalable Key Exchange Transformation: from Two-party to Group [J]. Electronic Letters, 2004,40(12): 728-729.
[96] M. Abdalla, J. M. Bohli, M. I. G. Vasco, R. Steinwandt. (Password) Authenticated Key Establishment: From 2-Party To Group [C]// Proceedings of Theory of Cryptography Conf. 2007 (TCC'07), LNCS 4392,Springer-Verlag, Berlin, 2007: 499-514.
[97] D. Dolev, C. Dwork, M. Naor. Non-Malleable Cryptography [J]. SIAM Journal of Computing, 2000, 30(2): 391-437.
[98] D.Pointcheval, J.Stern. Security Arguments for Digital Signatures and Blind Signature[J]. J. Cryptology, 2000,13:361-396
[99] A. Joux, One Round Protocol for Tripartite Diffie-Hellman, In W.Bosma,editor, Proceedings of Algorithmic Number Theory Symposium. ANTS IV,LNCS 1838, Springer-Verlag, 2000: 385-394
[100] S. Al-Riyami and K.G.Paterson, Tripartite Authenticated Key Agreement Protocols from Pairings[R], Cryptology ePrint Archive 2002.http://eprint.iacr.org/.
[101] F. Zhang, S. Liu and K. Kim, ID-Based one Round Authenticated Tripartite Key Agreement Protocols with Pairings[R], Cryptology ePrint Archive,Report 2002/035, 2002. http://eprint.iacr.org/.
[102] D. Nalla and K.C. Reddy, Identity Based Authenticated Group Key Agreement Protocol[C] // Proc. Of Indocrypt'02, LNCS 2551,Springer-Verlag,2002: 110-125.
[103] R. Barua, R. Dutta and P. Sarker, Extending Joux's Protocol to Multi Party Key Agreement[C] // Proc. Of Indocrypt'03., LNCS 2947, Berlin,Heidelberg: Springer-Verlag, 2004: 130-144.
[104] Fangguo Zhang, Xiaofeng Chen. Attack on an ID-Based Authenticated Group Key Agreement Scheme from PKC 2004[J]. Information Processing Letters, 2004,91:191-193.
[105] R. Cramer and V. Shoup. Design and Analysis of Practical Public-key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack[J].SIAM Journal on Computing, 2003, 33(1): 167-226.
[106] E.Bresson, O.Chevassut, A.Essiari and D.Pointcheval. Mutual Authentication and Group Key Agreement for Low-Power Mobile Devices[C] // In The Fifth IEEE International Conference on Mobile and Wireless Communications Networks,2003.
[107]E.Bresson,O.Chevassut,and D.Pointcheval.Security Proofs for an Efficient Password-based Key Exchange[C]//In Proc.of ACM-CCS' 03.ACM Press,2003.
[108]X.Boyen,The BB1 Identity-based Cryptosystem:A Standard for Encryption and Key Encapsulation[R].http://grouper.ieee.org /groups/1363/IBC/submissions/index.html,Submitted 2006-08-14.
[109]刘成林,徐秋亮.基于身份的多安全群组密钥协商协议[C]//密码学进展-ChinaCrypt'2006,中国科学技术出版社.2006:181-187.
[110]Bellovin S M,Merritt M.Encrypted Key Exchange;Password-Based Protocols Secure against Dictionary Attacks[C]// In:Cooper.D,ed.Proc of the 1992 IEEE Symp on Security and Privacy.Washington:IEEE Computer Society Press,1992:72-84.
[111]Halevi S,Krawczyk H.Public-Key Cryptography and Password Protocols.ACM Trans Inf Sys Secur(TISSEC).New York:ACM Press,1999,2(3):230-268.
[112]Bellare M,Pointcheval D,Rogway P.Authenticated Key Exchange Secure against Dictionary Attacks[C]//In:Preneel B,ed.Advances in Cryptology Proceedings of EUROCRYPT'2000(14-18 may 2000,Brugge,Belgium).LNCS 1807.New York:Springer-Vedag,2000:139-155
[113]Boyko V,MacKenzie P,Patel S.Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman[C]// In:Preneel B,ed.Advances in Cryptology-Proceedings of EUROCRYPT'2000(14-18 may 2000,Brugge,Belgium).LNCS 1807.New York:Springer-Vedag,2000:156-171
[114]Goldreich O,Lindell Y.Session-Key Generation Using Human Passwords Only[C]//In:Kilian J,ed.Proc of the Advances in Cryptology-CRYPTO 2001.LNCS 2139.Berlin,Heidelberg:Springer-Verlag,2001:408-432
[115]Katz J,Ostrovsky R,Yung M.Efficient Password-authenticated Key Exchange Using Human-memorable Passwords[C]//In:Pfitzmann B,ed.Proc of the Advances in Cryptology-EUROCRYPT 2001.LNCS 2045.Berlin,Heidelberg:Springer-Verlag,2001:475-494
[116]Hwang Min-Shiang,Lo Jung-Wen,Liu Chia-Hsin.Simple Authenticated Key Agreement and Protected Password Change Protocol[J].Comput Secur,2005,24:500-504[DOI]
[117]Yeh H T,Sun H M.Simple Authenticated Key Agreement Protocol Resist to Password Guessing Attacks[J].In:ACM SIGOPS Oper Syst Rev.New York:ACM Press,2002:14-22.
[118]冯登国.计算机通信网络安全.北京:清华大学出版社,2001.
[119]Wang C I,Fan C I,Guan D J.Cryptanalysis on Chang-Yang- Hwang Protected Password.Change Protocol[C]// International Association for Cryptologic Research(IACR),2005:147-209.
[120]冯登国,陈伟东.基于口令的安全协议的模块化设计与分析.中国科学E 辑:信息科学.2007,37(2):223-237.
[121]K.Shim,Efficient One-round Tripartite Authenticated Key Agreement Protocol from Weil Pairing[J].Electronics Letters,2003,39(2):208-209.
[122]T.Matsumoto,Y.Takashima and H.Imai.On Seeking Smart Public-Key Distribution Systems[J].In transactions of IEICE of Japan.E69,1986:99-106.
[123]D.Nalla and K.C.Reddy.ID-Based Tripartite Authenticated Key Agreement Protocols from Pairings.Http://eprint.iacr.org/2003/004.
[124]Z.Chen.Security Analysis on Nalla-Reddys ID-Based Tripartite Authenticated Key Agreement Protocol.Http://eprint.iacr.org/2003/103.
[125]K.Shim.Cryptanalysis of ID-Based Tripartite Authenticated Key Agreement Protocol.Http://eprint.iacr.org/2003/115.
[126]R.Gennaro and Y.Lindell.A Framework for Password-Based Authenticated Key Exchange[C]// In E.Biham,editor,Advances in Cryptology EUROCRYPT 2003,LNCS 2656,Springer-Verlag,2003:524-543.
[127]M.Bellare,D.Pointcheval,and P.Rogaway.Authenticated Key Exchange Secure against Dictionary Attacks[C]//In B.Preneel,editor,Advances in Cryptology EUROCRYPT 2000,LNCS 1807,Springer-Verlag,2000:139-155.
[128]V.Boyko,P.MacKenzie,and S.Patel.Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman[C]// In B.Preneel,editor,Advances in Cryptology EUROCRYPT 2000,LNCS 1807,Springer-Verlag,2000:156-171.
[129]H.Yeh,H.Sun,and T.Hwang.Efficient Three-Party Authentication and Key Agreement Protocols Resistant to Password Guessing Attacks[J].Journal of Information Science and Engineering,2003,19(6):1059-1070.
[130]M.Abdalla,P.A.Fouque,and D.Pointcheval.Password-Based Authenticated Key Exchange in the Three-Party Setting[C]//In S.Vaudenay,editor,PKC 2005,LNCS 3386,Springer- Verlag,2005:65-84.
[131]Q.Tang,and K.R.Choo.Secure Password-Based Authenticated Group Key Agreement for Data-Sharing Peer-to-Peer Networks[C]// In J.Zhou,M.Yung,and F.Bao,editors,ACNS 2006:6nd International Conference on Applied Cryptography and Network Security,LNCS 3989,Springer- Verlag,2006:162-177.
[132]C.Ma,J.Ao,and J.Li.Provable Password-Based Tripartite Key Agreement Protocol.http://eprint.iacr.org/2007/184.pdf
[133]H.A.Wen,T.F.Lee and T.Hwang.Provably Secure Three Party Password-Based Authenticated Key Exchange Protocol Using Weil Pairing[J].IEE Proc-Commun.,2005,152(2):138-143.
[134]Hung-Yu Chien.Comments on a Provably Secure Three-Party Password-Based Authenticated Key Exchange Protocol Using Weil Pairings.http://eprint.iacr.org/2006/013.pdf
[135]冯登国,陈伟东.公平认证密钥交换协议的安全模型与模块化设计[C]//第三届信息安全国家重点实验室安全协议研讨会·论文集.冯登国 主编,2007:1-18.
[136]S.Hirose and S.Yoshida.An Authenticated Diffie-Hellman Key Agreement Protocol Secure Against Active Attacks[C]//In Proceedings of the First International Workshop on Practice and Theory in Public Key Cryptography (PKC'98),LNCS 1431,Springer- Verlag,1998:135-148.
[137]D.Wallner,E.Harder,and R.Agee.Key Management for Multicast:Issues and Architectures.Internet RFC/STD/FYI/BCP Archives,June 1999.RFC 2627.Available at http://www.faqs.org/rfcs/rfc2627.html.
[138]C.K.Wong,.M.Gouda,and S.S.Lam.Secure Group Communications Using Key Graphs[C]// In Proceedings of the ACM Conference on Applications,Technologies,Architectures,and Protocols for Computer Communication(SIGCOMM'98),ACM Press,1998:68-79.
[139]B.Briscoe.MARKS:Zero Side Effect Multicast KeyManagement Using Arbitrarily Revealed Key Sequences[C]// In Proceedings of the First International Workshop on Networked Group Communication(NGC'99),LNCS 1736,Springer- Verlag,1999:301-320.
[140]D.Naor,M.Naor,and J.Lotspiech.Revocation and Tracing Schemes for Stateless Receivers[C]//In Advances in Cryptology- CRYPTO'01,LNCS 2139,Springer-Verlag,2001:41-62.
[141]A.T.Sherman and D.A.McGrew.Key Establishment in Large Dynamic Groups Using One-Way Function Trees[J].IEEE Transactions on Software Engineering,2003,29(5):444-458.
[142]M.Waldvogel,G.Caronni,D.Sun,N.Weiler,and B.Plattner.The VersaKey Framework:Versatile Group Key Management[J].IEEE Journal on Selected Areas in Communications,1999,17(9):1614-1631.
[143]M.Abadi and A.D.Gordon.A Calculus for Cryptographic Protocols:The Spi Calculus[C]//In ACM Conference on Computer and Communications Security(CCS'97),.ACM Press,1997:36-47.
[144]M.Abadi and P.Rogaway.Reconciling Two Views of Cryptography(The ComputationalSoundness of Formal Encryption)[J].Jorunal of Cryptology,2002,15(2):103-127.
[145]M.Abdalla,M.Bellare,and P.Rogaway.The Oracle Diffie-Hellman Assumptions and an Analysis of DHIES[C]//In Topics in Cryptology-CT -RSA'01,LNCS 2020,Springer-Verlag,2001:143-158.
[146] R. Ahlswede and I. Csiszar. Common Randomness in Information Theory and Cryptography- i: Secret Sharing[J]. IEEE Transactions on Information Theory, 1993, 39(4): 1121-1132.
[147] Y. Amir, Y. Kim, C. Nita-Rotaru, and G. Tsudik. On the Performance of Group Key Agreement Protocols[J]. ACM Transactions on Information and System Security, 2004, 7(3):457-488.
[148] J. H. An, Y. Dodis, and T. Rabin. On the Security of Joint Signature and Encryption[C] // In Advances in Cryptology - EUROCRYPT'02, LNCS 2332, Springer- Verlag, 2002: 83-107.
[149] S. Androutsellis-Theotokis and D. Spinellis. A Survey of Peer-to-Peer Content Distribution Technologies[J]. ACM Computer Surveys, 2004, 36(4):335-371.
[150] A. Armando, D. A. Basin, Y. Boichut, Y. Chevalier, L. Compagna, J.Cuellar, P. H. Drielsma, P.-C. Heam, O. Kouchnarenko, J. Mantovani, S.Modersheim, D. von Oheimb, M. Rusinowitch, J. Santiago, M. Turuani, L.Vigano, and L. Vigneron. The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications[C] // InProceedings of 17th International Conference on Computer Aided Verification (CAV'05), LNCS 3576, Springer- Verlag, 2005: 281-285.
[151] N. Asokan and P. Ginzboorg. Key-Agreement in Ad-hoc Networks[J].Computer Communications, 2000,23(17): 1627-1637.
[152] G. Ateniese, M. Steiner, and G. Tsudik. New Multi-Party Authentication Services and Key Agreement Protocols[J]. IEEE Journal of Selected Areas in Communications, 2000,18(4):628-639.
[153] B. Blanchet. An Efficient Cryptographic Protocol Verifier Based on Prolog Rules[C] // In Proceeding of 14th IEEE Computer Security Foundations Workshop (CSFW'01). IEEE Computer Society, 2001: 82-96.
[154] B. Blanchet and D. Pointcheval. Automated Security Proofs with Sequences of Games[C] // In Advances in Cryptology - CRYPTO'06, LNCS 4117 Springer- Verlag, 2006: 537-554.
[155] J.-M. Bohli, M. I. G. Vasco, and R. Steinwandt. Secure Group Key Establishment Revisited[R]. Cryptology ePrint Archive, Report 2005/395,2005. http://eprint.iacr.org/.
[156] A. Boldyreva. Threshold Signatures, Multisignatures and Blind Signatures Based on the Gap-Diffie-Hellman-Group Signature Scheme[C] // In Proceedings of the 6th International Workshop on Theory and Practice in Public Key Cryptography (PKC'03), LNCS 2567, Springer- Verlag, 2003:31-46.
[157]D.Boneh.The Decision Diffie-Hellman Problem[C]// In ANTS-Ⅲ:Proceedings of the Third International Symposium on Algorithmic Number Theory,Springer- Verlag,1998:48-63.
[158]D.Boneh and X.Boyen.Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles[C]// In Advances in Cryptology-EUROCRYPT'04,LNCS 3027,Springer- Verlag,2004:223-238.Available at http://www.cs.stanford.edu/-xb/eurocrypt04b/.
[159]D.Boneh and M.Franklin.Identity-Based Encryption from the Weil Pairing[J].SIAM Journal of Computing,2003,32(3):586-615.
[160]D.Boneh,B.Lynn,and H.Shacham.Short Signatures from the Weil Pairing[C]// In Advances in Cryptololgy - ASIACRYPT'01,LNCS 2248,Springer- Verlag,2001:514-532.
[161]C.Cachin,K.Kursawe,and V.Shoup.Random Oracles in Constantinople:Practical Asynchronous Byzantine Agreement using Cryptography[C]//In Proceedings of the 19th Annual ACM Symposium on Principles of Distributed Computing(PODC'00),ACM Press,2000:123-132.
[162]C.Cachin and U.Maurer.Unconditional Security Against Memory-Bounded Adversaries[C]//In Advances in Cryptology - CRYPTO '97,LNCS 1294,Springer- Verlag,1997:292-306.
[163]C.Cachin and R.Strobl.Asynchronous Group Key Exchange with Failures[C]// In Proceedings of the 23rd Annual ACM Symposium on Principles of Distributed Computing(PODC'04),ACM Press,2004:357-366.
[164]S.Greenberg.An Annotated Bibliography of Computer Supported Cooperative Work[R].ACM SIGCHI Bulletin,23(3):29-62,1991.
[165]S.Greenberg.Computer-Supported Cooperative Work and Groupware:An Introduction to the Special Issues[J].International Journal of Man-Machine Studies,1991,34(2):133-141.
[166]C.G.Gu|¨nther.An Identity-Based Key-Exchange Protocol[C]//In Advances in Cryptology- EUROCRYPT'89,LNCS 434,Springer- Verlag,1990:29-37.
[167]Y.Hitchcock,C.Boyd,and J.M.G.Nieto.Tripartite Key Exchange in the Canetti-Krawczyk Proof Model[C]// In Progress in Cryptology-INDOCRYPT'94,LNCS 3348,Springer-Verlag,2004:17-32.
[168]D.Hofheinz,J.Mu|¨ller-Quade,and R.Steinwandt.Initiator-Resilient Universally Composable Key Exchange[C]//In 8th European Symposium on Research in Computer Security(ESORICS'03),LNCS 2808,Springer-Verlag,2003:61-84.
[169]王育民,何大可.保密学-基础与应用.西安电子科技大学出版社,1990.
[170]梅其祥.抗选择密文攻击公钥密码体制的研究.西南交通大学博士论文,2005.
[171]田海博.会话密钥建立关键技术研究.西安电子科技大学西电博士论文,2006.
[172]蒋军.异构无线网络互联的认证和密钥协商研究.上海交通大学博士论文,2006.
[173]李兴华.无线网络中认证及密钥协商协议的研究.西安电子科技大学西电博士论文,2006.
[2]Xukai Zou,Bypav Ramamurthy and Spyros S.Magliveras,"Secure Group Communication over Data Networks"[M].Berlin,Heidelberg:Springer-Verlag,2005.
[3]Paul Garreu,吴世忠,宋晓龙,郭涛等译.密码学导引[M].北京:机械工业出版社,2003.
[4]A.Menezes,P.van Oorschot,and S.Vanstone.Handbook of Applied Cryptography[M].CRC Press,October 1996.
[5]Wenbo Mao,王继林,伍前红等译,王育民,姜正涛审校.现代密码学理论与实践[M].北京:电子工业出版社,2004.
[6]O.Pereira and J.-J.Quisquater.Some Attacks upon Authenticated Group Key Agreement Protocols[J].Journal of Computer Security,2003,11(4):555-580.
[7]冯登国,可证明安全性理论与方法研究[J].软件学报,2005,16(10)1743-1756.
[8]Bellare M.Practice-Oriented Provable-Security[C]// In:Damgard I,ed.Modern Cryptology in Theory and Practice.LNCS 1561,Berlin,Heidelberg:Springer-Vedag,1999.1-15.
[9]Goldreich O.Foundations of Cryptography[M].Cambridge:Cambridge University Press,2001.
[10]Needham R,Schroeder M.Using Encryption for Authentication in Large Networks of Computers[J].Communications of the ACM,1978,21(12):993-999.
[11]Sacco G.Timestamps in Key Distribution Protocols[J].Communications of the ACM,1981,24(8):523-536.
[12]Burrows M,Abadi M,Needham R.A Logic for Authentication[J].ACM Trans.on Computer Systems,1990,8(1):18-36.
[13]Bellare M,Rogaway P.Random Oracles Are Practical:A Paradigm For Designing Efficient Protocols[C]// In:Proc.of the 1st ACM Conf.on Computer and Communications Security.New York:ACM Press,1993.62-67.http://doi.acm.org/10.1145/168588.168596
[14]C.E.Shannon.Communication Theory of Secrecy Systems[J].The Bell Systems Technical Journal,1949,28(4):656-715.
[15] E. N. Gilbert, F. J. MacWilliams, and N. J. A. Sloane. Codes Which Detect Deception[J]. The Bell Systems Technical Journal, 1974, 53(3): 405-424
[16] G. J. Simmons. A Survey of Information Authentication. Contemporary Cryptology, The Science of Information Integrity, 1974,379-419.
[17] M. N. Wegman and J. L. Carter. New Hash Functions and Their Use in Authenticationand Set Equality[J]. Journal of Computer and System Sciences, 1981,22(8): 265-279.
[18] R. Ahlswede and I. Csiszar. Common Randomness in Information Theory and Cryptography - i: Secret Sharing[J]. IEEE Transactions on Information Theory, 1993,39(4): 1121-1132.
[19] I. Csiszar and J. Korner. Broadcast Channels with Confidential Messages[J].IEEE Transactions on Information Theory, 1978,24(3):339-348.
[20] U. Maurer. Secret Key Agreement by Public Discussion[J]. IEEE Transaction on Information Theory, 1993, 39(3):733-742.
[21] U. Maurer. Information-Theoretically Secure Secret-Key Agreement by NOT Authenticated Public Discussion[C] // In Advances in Cryptology —EUROCRYPT '97, LNCS 1233, Springer-Verlag, 1997: 209-225..
[22] U. Maurer and S.Wolf. Towards Characterizing when Information-Theoretic Key Agreement is Possible[C] // In Advances in Cryptology-ASIACRYPT '96, LNCS 1163 Springer-Verlag, 1996: 196-209.
[23] A. D. Wyner. The Wiretap Channel[J]. The Bell Systems Technical Journal,1975, 54(8): 1355-1387.
[24] T. Holenstein. Strengthening Key Agreement Using Hard-Core Sets[D].Doctoral Dissertation, ETH Zurich, 2006.
[25] U. Maurer and S. Wolf. Secret Key Agreement Over a Non-Authenticated Channel —Parts i, ii, iii[J]. IEEE Transactions on Information Theory, 2003,49(4):822-851.
[26] R. Renner, N. Gisin, and B. Kraus. An Information-Theoretic Security Proof for QKD Protocols[J]. Physical Review A, 72(012332), 2005.http://arxiv.org/abs/quant-ph/0502064. 41
[27] R. Renner and S.Wolf. New Bounds in Secret-Key Agreement: The Gap between Formation and Secrecy Extraction[C] // In Advances in Cryptology— EUROCRYPT 2003, LNCS 2656, Springer-Verlag, 2003: 562-577.
[28] S. Wolf. Strong Security against Active Attacks in Information-Theoretic Secret-Key Agreement[C] // In Advances in Cryptology —ASIACRYPT '98, LNCS 1514, Springer-Verlag, 1998:405-419.
[29] S.Wolf. Information-Theoretically and Computationally Secure Key Agreement in Cryptography[D]. Doctoral Dissertation, ETH Zurich, 1999.
[30] V. Shoup. Sequences of Games: A Tool for Taming Complexity in Security Proofs[R]. Cryptology ePrint Archive, Report 2004/332, 2004.http://eprint.iacr.org/2004/332.pdf.
[31] R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor, and B. Pinkas.Multicast Security: A Taxonomy and Some Efficient Constructions[C] // In Proceedings of IEEE INFOCOM '99, IEEE Computer Society, 1999:708-716.
[32] R. Canetti. Universally Composable Security: A New Paradigm for Cryptographic Protocols[C] // In Proceedings of 42nd Annual Symposium on Foundations of Computer Science (FOCS 2001), IEEE CS, 2001:136-145.
[33] R. Canetti, S. Halevi, J. Katz, Y. Lindell, and P. D. MacKenzie. Universally Composable Password-Based Key Exchange[C] // In Advances in Cryptology - EUROCRYPT'05, LNCS 3494, Springer-Verlag, 2005:404-421.
[34] R. Canetti and J. Herzog. Universally Composable Symbolic Analysis of Mutual Authenticationand Key-Exchange Protocols[C] // In 3rd Theory of Cryptography Conference (TCC'06), LNCS 3876, Springer-Verlag, 2006:380-403.
[35] R. Canetti and H. Krawczyk. Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels[C] // In Advances in Cryptology -EUROCRYPT'01, LNCS 2045, Springer-Verlag, 2001: 453-474.
[36] R. Canetti and H. Krawczyk. Security Analysis of IKE's Signature-Based Key-Exchange Protocol[C] // In Advances in Cryptology - CRYPTO'02,LNCS 2442, Springer-Verlag, 2002: 143-161.
[37] J. Katz and J. S. Shin. Modeling Insider Attacks on Group Key-Exchange Protocols[C] // In Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS'05), ACM Press, 2005:180-189.
[38] B. Pfitzmann and M.Waidner. Composition and Integrity Preservation of Secure Reactive Systems[C] // In ACM Conference on Computer and Communications Security (CCS'00), ACM Press, 2000: 245-254.
[39] V. Shoup. On Formal Models for Secure Key Exchange (Version 4)[R].Technical Report RZ 3120, IBM Research, November 1999. Also available at http://shoup.net/.
[40] D. Dolev and A. C.-C. Yao. On the Security of Public Key Protocols[J].IEEE Transactions on Information Theory, 1983, 29(2): 198-207.
[41] M. Abadi and A. D. Gordon. A Calculus for Cryptographic Protocols: The Spi Calculus[C] // In ACM Conference on Computer and Communications Security (CCS'97), ACM Press, 1997: 36-47.
[42]M.Burrows,M.Abadi,and R.Needham.A Logic of Authentication[R].Technical Report 39,DEC Systems Research Center,1989.http://gatekeeper.dec.com/pub/DEC/SRC/research-reports/abstracts/src-rr-039.html.
[43]F.Fabrega,J.Herzog,and J.Guttman.Strand Spaces:Why Is a Security Protocol Correct?[C]//In IEEE Symposium on Security and Privacy 1998,IEEE Press,1998:160-171.
[44]R.A.Kemmerer,C.Meadows,and J.K.Millen.Three Systems for Cryptographic Protocol Analysis[J].Jorunal of Cryptology,1994,7(2):79-130.
[45]C.Meadows.Formal Verification of Cryptographic Protocols:A Survey[C]// In Advances in Cryptology - ASIACRYPT'94,LNCS 917,Springer-Vedag,1994:135-150.
[46]W.Diffie,P.C.van Oorschot,and M.J.Wiener.Authentication and Authenticated Key Exchanges[J].Designs,Codes and Cryptography,1992,2(2):107-125.
[47]W.Diffie and M.E.Hellman.New Directions in Cryptography[J].IEEE Transactions on Information Theory,1976,IT-22(6):644-654.
[48]M.Burmester and Y.Desmedt.A Secure and Efficient Conference Key Distribution System[C]//In Advances in Cryptology - EUROCRYPT'94,LNCS 950,Springer-Verlag,1994:275-286.
[49]M.Burmester,Y.Desmedt.A Secure and Scalable Group Key Exchange System.In Information Processing Letters,2005,94(3):137-143.
[50]S.Goldwasser and S.Micali.Probabilistic Encryption[J].Journal of Computer and System Sciences,1984,28(2):270-299.
[51]M.Burmester.On the Risk of Opening Distributed Keys[C]//In Advances in Cryptology- CRYPTO'94,LNCS 839 Springer-Verlag,1994:308-317.
[52]Y.Yacobi and Z.Shmuely.On Key Distribution Systems[C]//In Advances in Cryptology- CRYPTO'89,LNCS 435,Springer-Verlag,1990:344-355.
[53]M.Steiner,and G.Tsudik.New Multi-party Authenticated Services and Key Agreement Protocols.In Journal of Selected Areas in Communications,2000,18(4):1-13.
[54]M.Bellare and P.Rogaway.Entity Authentication and Key Distribution[C]// In Advances in Cryptology-CRYPTO'93,LNCS 773,Springer-Verlag,1993:232-249.
[55]卿斯汉.安全协议20年研究进展,软件学报,2003,14(10):1740-1752.
[56]S.Blake-Wilson,D.Johnson,and A.Menezes.Key Agreement Protocols and Their Security Analysis[C]// In Proceedings of the 6th IMA International Conference on Cryptography and Coding, LNCS 1355,Springer-Verlag, 1997: 30-45.
[57] C. Boyd and A. Mathuria. Protocols for Authentication and Key Establishment. Springer, 2003.
[58] M. Bellare and P. Rogaway. Provably Secure Session Key Distribution: The Three Party Case[C] // In Proceedings of the 27th Annual ACM Symposium on Theory of Computing (STOC'95), ACM Press, 1995:57-66.
[59] M. Bellare, R. Canetti, and H. Krawczyk. A Modular Approach to the Design and Analysis of Authentication and Key Exchange Protocols (Extended Abstract) [C] // In Proceedings of the Thirtieth Annual ACM Symposium on the Theory of Computing (STOC'98), ACM Press, 1998:419-428.
[60] S. Micali, P. Rogaway. Secure Computation[C] // In: Feigenbaum J, ed.Proc. of the Advances in Cryptology—Crypto'91. LNCS 576, Berlin,Heidelberg: Springer-Verlag, 1991: 392-404.
[61] H.Krawczyk, "SIGMA: The 'SIGn-and-Mac' Approach to Authenticated Diffie- Hellman and Its use in the IKE Protocols" [C] // In Advances in Cryptology- CRYPTO 2003, LNCS 2729,Springer-Verlag,2003:400-425.
[62] Tin.Y.S.T., Boyd.C, Nieto.J.G., Provably Secure Key Exchnage: An Engineering Approach[C] // Australasian Inofmration Security Work shop2003 (AISW2003), 2003: 97-104.
[63] R. Canetti and H.Krawczyk. Universally Composbale Notions of Key Exchange and Secure Chnanels[C] // Advnaces in Cryptology-EUROCRYPT2002, LNCS 2332, Springer-verlag, 2002: 337-351.
[64] Meadows C. Formal Verification of Cyptographic Portocols: A survey[C] //In: Advnaces in Cryptology Asiacrypt'96 Proceedings. LNCS 1163,Springer-Verlag, 1996: 135-150.
[65] E.Bresson, O.Chevassut, D.Pointcheval. New Security Results on Encrypted Key Exchnage[C] // The 7~(th) International Workshop on Theory and Practice in Public Key Cryptography-PKC2004, LNCS 2947, Springer-Verlag, 2004:145-158.
[66] W.Aiello, S.M.Bellovin, M.Blaze. Efficient, DoS-Resistant, Secure Key Exchange for Internet Protocols[C] // Proceedings of the 9~(th) ACM conference on Computer and communications security, ACM press, 2002:45-58.
[67] K.K. R Choo, Y.Hitchcock. Security Requirement for Key Establishment Proof Models: Revisiting Bellare-Rogaway and Jeong-Kata-Lee Protocols[C]// Proceedings of the 10~(th) Australasian conference on information security and privacy-ACISP2005. Springer-Verlag, 2005.
[68]M.N.Eddie."Security Models and Proofs for Key Establishment Protocols"[R].A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Master of Mathematics in Combinatorics and Optimization,Waterloo,Ontario,Canada,2005.
[69]Y.Hitchcock,C.Boyd,and J.M.G.Nieto,"Tripartite Key Exchange in the Canetti-Krawczyk Proof Model"[C]//INDOCRYPT 2004,LNCS 3348,Springer- Verlag,2004:17-32.
[70]李兴华,马建峰,文相在.基于身份密码系统下Canetti-Krawczyk模型的安全扩展[J].中国科学E辑,信息科学,2004,34(10):1185-1192.
[71]E.Bresson,O.Chevassut,D.Pointcheval,and J.-J.Quisquater.Provably Authenticated Group Diffie-Hellman Key Exchange[C]//In Proceedings of the 8th ACM conference on Computer and Communications Security (CCS'01),ACM Press,2001:255-264.
[72]M.Roseman and S.Greenberg.GROUPKIT:A Groupware Toolkit for Building Real-Time Conferencing Applications[C]//In Proceedings of the Conference on Computer Supported Cooperative Work(CSCW'92),ACM Press,1992:43-50.
[73]E.Bresson,O.Chevassut,and D.Pointcheval.Provably Authenticated Group Diffie-Hellman Key Exchange The Dynamic Case[C]// In Advances in Cryptology- ASIACRYPT'01,LNCS 2248,Springer- Verlag,2004:290-390.
[74]E.Bresson,O.Chevassut,and D.Pointcheval.Dynamic Group Diffie-Hellman Key Exchange under Standard Assumptions[C]// In Advances in Cryptology - EUROCRYPT'02,LNCS 2332,Springer- Verlag,2002:321-336.
[75]J.Katz and M.Yung.Scalable Protocols for Authenticated Group Key Exchange[C]// In Advances in Cryptology - CRYPTO'03,LNCS 2729,Springer- Verlag,2003:110-125.
[76]I.Ingemarsson,D.T.Tang,and C.K.Wong.A Conference Key Distribution System[J].In IEEE Transactions on Information Theory,1982,28(5):714-720.
[77]M.Steiner,G.Tsudik,M.Waidner.Diffie-Hellman Key Distribution Extended to Group Communication[C]//In proceedings of ACM CCS 1996,ACM Press,1996:31-37.
[78]M.Steiner,G.Tsudik and M.Waidner.Cliques:A New Approach to Group Key Agreement[C]// In IEEE Conference on Distributed Computing Systems,IEEE Press,1998:380-391.
[79]G.Ateniese,M.Steiner,and G.Tsudik.Authenticated Group Key Agreement and Friends[C]//In proceedings of ACM CCS' 1998,ACM Press,1998:17-26.
[80]G.Ateniese,M.Steiner,and G.Tsudik.New Multi-party Authenticated Services and Key Agreement Protocols[J].In Journal of Selected Areas in Communications,IEEE,2000,18(4):1-13.
[81]Y.Kim,A.Perrig,and G.Tsudik.Communication-efficient Group Key Agreement[C]//In Proc.17th IFIP Int.Information Security Conf.(SEC'01),2001:229-244.
[82]Y.Kim,A.Perrig,and G.Tsudik.Tree-based Group Key Agreement[J].ACM Trans.Inf.Syst.Security,ACM Press,2004,7(1):60-96.
[83]Mike.Burmester,Y.Desmedt.A Secure and Scalable Group Key Exchange System[J].In Information Processing Letters,2005,94(3):137-143
[84]H.J.Kim,S.M.Lee and D.H.Lee.Constant-Round Authenticated Group Key Exchange for Dynamic Groups[C]//In proceedings of Asiacrypt 2004,LNCS 3329,Sringer-Verlag,2004:245-259.
[85]R.Dutta,R.Barua.Constant Round Dynamic Group Key Agreement[C]//In proceedings of ISC 2005,LNCS 4521,Springer-Verlag,2005,Also available at http://eprint.iacr.grg/2005/221.
[86]R.Canetti and H.Krawczyk.Universally Composable Notions of Key Exchange and Secure Channels[C]//Eurocrypt 2002.Full version available at http://eprint.iacr.org/2002/059.
[87]Emmanuel Bresson and Mark Manulis.Extended Definitions of AKE- and MA-Security for Group Key Exchange Protocols.Cryptology ePrint Archive,Reoort 2006/385,2006.
[88]丁勇,田海博,王育民.基于DLE协议的可认证群密钥协商协议-EAGKA[J].西安电子科技大学学报(自然科学版).2004,31(6):915-918.
[89]H.Krawczyk.HMQV:A High-Performance Secure Diffie-Hellman Protocol[C]//Advances in Cryptology-CRYPTO '05,LNCS 3621,Berlin,Heidelberg:Springer-Verlag,2005:546-566.
[90]郑世慧,王少辉,张国艳.一个动态的安全有效的群密钥协商协议[J].山东大学学报(理学版).2006,41(2):89-93.
[91]K.Y.Choi,J.Y.Hwang,D.H.Lee.Efficient ID-Based Group Key Agreement With Bilinear Maps[C]//7th International Workshop on Practice and Theory in Public Key Cryptography,PKC 2004,LNCS 2947,Springer-Verlag,Berlin/New York,2004:130-144.
[92]Michel Abdalla,Emmanuel Bresson,Olivier Chevassut and David Pointcheval,Password-Based Group Key Exchange in a Constant Number of Rounds[C]//Public Key Cryptography-PKC 2006,Moti Yung,Yevgeniy Dodis,Aggelos Kiayias,and Tal Malkin(Eds.),LNCS 3958,Springer-Vedag,2006:427-442.
[93]Michel Abdalla,David Pointcheval.A Scalable Password-Based Group Key Exchange Protocol in the Standard Model[C]//In Advances in Cryptology- Proceedings of ASIACRYPT '06 (december 2 - 6, 2006, Shanghai, China) X.Lai and K. Chen Eds. LNCS 4284, Springer-Verlag, 2006: 332-347.
[94] A. Mayer, M. Yung. Secure Protocol Transformation via "Expansion": From Two Party To Groups [C]// Proc. of ACM Conf. on. Computer and Communications Security (CCS'99), ACM Press, 1999: 83-92.
[95] J. Y. Hwang, S. M. Lee. D. H. Lee. Scalable Key Exchange Transformation: from Two-party to Group [J]. Electronic Letters, 2004,40(12): 728-729.
[96] M. Abdalla, J. M. Bohli, M. I. G. Vasco, R. Steinwandt. (Password) Authenticated Key Establishment: From 2-Party To Group [C]// Proceedings of Theory of Cryptography Conf. 2007 (TCC'07), LNCS 4392,Springer-Verlag, Berlin, 2007: 499-514.
[97] D. Dolev, C. Dwork, M. Naor. Non-Malleable Cryptography [J]. SIAM Journal of Computing, 2000, 30(2): 391-437.
[98] D.Pointcheval, J.Stern. Security Arguments for Digital Signatures and Blind Signature[J]. J. Cryptology, 2000,13:361-396
[99] A. Joux, One Round Protocol for Tripartite Diffie-Hellman, In W.Bosma,editor, Proceedings of Algorithmic Number Theory Symposium. ANTS IV,LNCS 1838, Springer-Verlag, 2000: 385-394
[100] S. Al-Riyami and K.G.Paterson, Tripartite Authenticated Key Agreement Protocols from Pairings[R], Cryptology ePrint Archive 2002.http://eprint.iacr.org/.
[101] F. Zhang, S. Liu and K. Kim, ID-Based one Round Authenticated Tripartite Key Agreement Protocols with Pairings[R], Cryptology ePrint Archive,Report 2002/035, 2002. http://eprint.iacr.org/.
[102] D. Nalla and K.C. Reddy, Identity Based Authenticated Group Key Agreement Protocol[C] // Proc. Of Indocrypt'02, LNCS 2551,Springer-Verlag,2002: 110-125.
[103] R. Barua, R. Dutta and P. Sarker, Extending Joux's Protocol to Multi Party Key Agreement[C] // Proc. Of Indocrypt'03., LNCS 2947, Berlin,Heidelberg: Springer-Verlag, 2004: 130-144.
[104] Fangguo Zhang, Xiaofeng Chen. Attack on an ID-Based Authenticated Group Key Agreement Scheme from PKC 2004[J]. Information Processing Letters, 2004,91:191-193.
[105] R. Cramer and V. Shoup. Design and Analysis of Practical Public-key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack[J].SIAM Journal on Computing, 2003, 33(1): 167-226.
[106] E.Bresson, O.Chevassut, A.Essiari and D.Pointcheval. Mutual Authentication and Group Key Agreement for Low-Power Mobile Devices[C] // In The Fifth IEEE International Conference on Mobile and Wireless Communications Networks,2003.
[107]E.Bresson,O.Chevassut,and D.Pointcheval.Security Proofs for an Efficient Password-based Key Exchange[C]//In Proc.of ACM-CCS' 03.ACM Press,2003.
[108]X.Boyen,The BB1 Identity-based Cryptosystem:A Standard for Encryption and Key Encapsulation[R].http://grouper.ieee.org /groups/1363/IBC/submissions/index.html,Submitted 2006-08-14.
[109]刘成林,徐秋亮.基于身份的多安全群组密钥协商协议[C]//密码学进展-ChinaCrypt'2006,中国科学技术出版社.2006:181-187.
[110]Bellovin S M,Merritt M.Encrypted Key Exchange;Password-Based Protocols Secure against Dictionary Attacks[C]// In:Cooper.D,ed.Proc of the 1992 IEEE Symp on Security and Privacy.Washington:IEEE Computer Society Press,1992:72-84.
[111]Halevi S,Krawczyk H.Public-Key Cryptography and Password Protocols.ACM Trans Inf Sys Secur(TISSEC).New York:ACM Press,1999,2(3):230-268.
[112]Bellare M,Pointcheval D,Rogway P.Authenticated Key Exchange Secure against Dictionary Attacks[C]//In:Preneel B,ed.Advances in Cryptology Proceedings of EUROCRYPT'2000(14-18 may 2000,Brugge,Belgium).LNCS 1807.New York:Springer-Vedag,2000:139-155
[113]Boyko V,MacKenzie P,Patel S.Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman[C]// In:Preneel B,ed.Advances in Cryptology-Proceedings of EUROCRYPT'2000(14-18 may 2000,Brugge,Belgium).LNCS 1807.New York:Springer-Vedag,2000:156-171
[114]Goldreich O,Lindell Y.Session-Key Generation Using Human Passwords Only[C]//In:Kilian J,ed.Proc of the Advances in Cryptology-CRYPTO 2001.LNCS 2139.Berlin,Heidelberg:Springer-Verlag,2001:408-432
[115]Katz J,Ostrovsky R,Yung M.Efficient Password-authenticated Key Exchange Using Human-memorable Passwords[C]//In:Pfitzmann B,ed.Proc of the Advances in Cryptology-EUROCRYPT 2001.LNCS 2045.Berlin,Heidelberg:Springer-Verlag,2001:475-494
[116]Hwang Min-Shiang,Lo Jung-Wen,Liu Chia-Hsin.Simple Authenticated Key Agreement and Protected Password Change Protocol[J].Comput Secur,2005,24:500-504[DOI]
[117]Yeh H T,Sun H M.Simple Authenticated Key Agreement Protocol Resist to Password Guessing Attacks[J].In:ACM SIGOPS Oper Syst Rev.New York:ACM Press,2002:14-22.
[118]冯登国.计算机通信网络安全.北京:清华大学出版社,2001.
[119]Wang C I,Fan C I,Guan D J.Cryptanalysis on Chang-Yang- Hwang Protected Password.Change Protocol[C]// International Association for Cryptologic Research(IACR),2005:147-209.
[120]冯登国,陈伟东.基于口令的安全协议的模块化设计与分析.中国科学E 辑:信息科学.2007,37(2):223-237.
[121]K.Shim,Efficient One-round Tripartite Authenticated Key Agreement Protocol from Weil Pairing[J].Electronics Letters,2003,39(2):208-209.
[122]T.Matsumoto,Y.Takashima and H.Imai.On Seeking Smart Public-Key Distribution Systems[J].In transactions of IEICE of Japan.E69,1986:99-106.
[123]D.Nalla and K.C.Reddy.ID-Based Tripartite Authenticated Key Agreement Protocols from Pairings.Http://eprint.iacr.org/2003/004.
[124]Z.Chen.Security Analysis on Nalla-Reddys ID-Based Tripartite Authenticated Key Agreement Protocol.Http://eprint.iacr.org/2003/103.
[125]K.Shim.Cryptanalysis of ID-Based Tripartite Authenticated Key Agreement Protocol.Http://eprint.iacr.org/2003/115.
[126]R.Gennaro and Y.Lindell.A Framework for Password-Based Authenticated Key Exchange[C]// In E.Biham,editor,Advances in Cryptology EUROCRYPT 2003,LNCS 2656,Springer-Verlag,2003:524-543.
[127]M.Bellare,D.Pointcheval,and P.Rogaway.Authenticated Key Exchange Secure against Dictionary Attacks[C]//In B.Preneel,editor,Advances in Cryptology EUROCRYPT 2000,LNCS 1807,Springer-Verlag,2000:139-155.
[128]V.Boyko,P.MacKenzie,and S.Patel.Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman[C]// In B.Preneel,editor,Advances in Cryptology EUROCRYPT 2000,LNCS 1807,Springer-Verlag,2000:156-171.
[129]H.Yeh,H.Sun,and T.Hwang.Efficient Three-Party Authentication and Key Agreement Protocols Resistant to Password Guessing Attacks[J].Journal of Information Science and Engineering,2003,19(6):1059-1070.
[130]M.Abdalla,P.A.Fouque,and D.Pointcheval.Password-Based Authenticated Key Exchange in the Three-Party Setting[C]//In S.Vaudenay,editor,PKC 2005,LNCS 3386,Springer- Verlag,2005:65-84.
[131]Q.Tang,and K.R.Choo.Secure Password-Based Authenticated Group Key Agreement for Data-Sharing Peer-to-Peer Networks[C]// In J.Zhou,M.Yung,and F.Bao,editors,ACNS 2006:6nd International Conference on Applied Cryptography and Network Security,LNCS 3989,Springer- Verlag,2006:162-177.
[132]C.Ma,J.Ao,and J.Li.Provable Password-Based Tripartite Key Agreement Protocol.http://eprint.iacr.org/2007/184.pdf
[133]H.A.Wen,T.F.Lee and T.Hwang.Provably Secure Three Party Password-Based Authenticated Key Exchange Protocol Using Weil Pairing[J].IEE Proc-Commun.,2005,152(2):138-143.
[134]Hung-Yu Chien.Comments on a Provably Secure Three-Party Password-Based Authenticated Key Exchange Protocol Using Weil Pairings.http://eprint.iacr.org/2006/013.pdf
[135]冯登国,陈伟东.公平认证密钥交换协议的安全模型与模块化设计[C]//第三届信息安全国家重点实验室安全协议研讨会·论文集.冯登国 主编,2007:1-18.
[136]S.Hirose and S.Yoshida.An Authenticated Diffie-Hellman Key Agreement Protocol Secure Against Active Attacks[C]//In Proceedings of the First International Workshop on Practice and Theory in Public Key Cryptography (PKC'98),LNCS 1431,Springer- Verlag,1998:135-148.
[137]D.Wallner,E.Harder,and R.Agee.Key Management for Multicast:Issues and Architectures.Internet RFC/STD/FYI/BCP Archives,June 1999.RFC 2627.Available at http://www.faqs.org/rfcs/rfc2627.html.
[138]C.K.Wong,.M.Gouda,and S.S.Lam.Secure Group Communications Using Key Graphs[C]// In Proceedings of the ACM Conference on Applications,Technologies,Architectures,and Protocols for Computer Communication(SIGCOMM'98),ACM Press,1998:68-79.
[139]B.Briscoe.MARKS:Zero Side Effect Multicast KeyManagement Using Arbitrarily Revealed Key Sequences[C]// In Proceedings of the First International Workshop on Networked Group Communication(NGC'99),LNCS 1736,Springer- Verlag,1999:301-320.
[140]D.Naor,M.Naor,and J.Lotspiech.Revocation and Tracing Schemes for Stateless Receivers[C]//In Advances in Cryptology- CRYPTO'01,LNCS 2139,Springer-Verlag,2001:41-62.
[141]A.T.Sherman and D.A.McGrew.Key Establishment in Large Dynamic Groups Using One-Way Function Trees[J].IEEE Transactions on Software Engineering,2003,29(5):444-458.
[142]M.Waldvogel,G.Caronni,D.Sun,N.Weiler,and B.Plattner.The VersaKey Framework:Versatile Group Key Management[J].IEEE Journal on Selected Areas in Communications,1999,17(9):1614-1631.
[143]M.Abadi and A.D.Gordon.A Calculus for Cryptographic Protocols:The Spi Calculus[C]//In ACM Conference on Computer and Communications Security(CCS'97),.ACM Press,1997:36-47.
[144]M.Abadi and P.Rogaway.Reconciling Two Views of Cryptography(The ComputationalSoundness of Formal Encryption)[J].Jorunal of Cryptology,2002,15(2):103-127.
[145]M.Abdalla,M.Bellare,and P.Rogaway.The Oracle Diffie-Hellman Assumptions and an Analysis of DHIES[C]//In Topics in Cryptology-CT -RSA'01,LNCS 2020,Springer-Verlag,2001:143-158.
[146] R. Ahlswede and I. Csiszar. Common Randomness in Information Theory and Cryptography- i: Secret Sharing[J]. IEEE Transactions on Information Theory, 1993, 39(4): 1121-1132.
[147] Y. Amir, Y. Kim, C. Nita-Rotaru, and G. Tsudik. On the Performance of Group Key Agreement Protocols[J]. ACM Transactions on Information and System Security, 2004, 7(3):457-488.
[148] J. H. An, Y. Dodis, and T. Rabin. On the Security of Joint Signature and Encryption[C] // In Advances in Cryptology - EUROCRYPT'02, LNCS 2332, Springer- Verlag, 2002: 83-107.
[149] S. Androutsellis-Theotokis and D. Spinellis. A Survey of Peer-to-Peer Content Distribution Technologies[J]. ACM Computer Surveys, 2004, 36(4):335-371.
[150] A. Armando, D. A. Basin, Y. Boichut, Y. Chevalier, L. Compagna, J.Cuellar, P. H. Drielsma, P.-C. Heam, O. Kouchnarenko, J. Mantovani, S.Modersheim, D. von Oheimb, M. Rusinowitch, J. Santiago, M. Turuani, L.Vigano, and L. Vigneron. The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications[C] // InProceedings of 17th International Conference on Computer Aided Verification (CAV'05), LNCS 3576, Springer- Verlag, 2005: 281-285.
[151] N. Asokan and P. Ginzboorg. Key-Agreement in Ad-hoc Networks[J].Computer Communications, 2000,23(17): 1627-1637.
[152] G. Ateniese, M. Steiner, and G. Tsudik. New Multi-Party Authentication Services and Key Agreement Protocols[J]. IEEE Journal of Selected Areas in Communications, 2000,18(4):628-639.
[153] B. Blanchet. An Efficient Cryptographic Protocol Verifier Based on Prolog Rules[C] // In Proceeding of 14th IEEE Computer Security Foundations Workshop (CSFW'01). IEEE Computer Society, 2001: 82-96.
[154] B. Blanchet and D. Pointcheval. Automated Security Proofs with Sequences of Games[C] // In Advances in Cryptology - CRYPTO'06, LNCS 4117 Springer- Verlag, 2006: 537-554.
[155] J.-M. Bohli, M. I. G. Vasco, and R. Steinwandt. Secure Group Key Establishment Revisited[R]. Cryptology ePrint Archive, Report 2005/395,2005. http://eprint.iacr.org/.
[156] A. Boldyreva. Threshold Signatures, Multisignatures and Blind Signatures Based on the Gap-Diffie-Hellman-Group Signature Scheme[C] // In Proceedings of the 6th International Workshop on Theory and Practice in Public Key Cryptography (PKC'03), LNCS 2567, Springer- Verlag, 2003:31-46.
[157]D.Boneh.The Decision Diffie-Hellman Problem[C]// In ANTS-Ⅲ:Proceedings of the Third International Symposium on Algorithmic Number Theory,Springer- Verlag,1998:48-63.
[158]D.Boneh and X.Boyen.Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles[C]// In Advances in Cryptology-EUROCRYPT'04,LNCS 3027,Springer- Verlag,2004:223-238.Available at http://www.cs.stanford.edu/-xb/eurocrypt04b/.
[159]D.Boneh and M.Franklin.Identity-Based Encryption from the Weil Pairing[J].SIAM Journal of Computing,2003,32(3):586-615.
[160]D.Boneh,B.Lynn,and H.Shacham.Short Signatures from the Weil Pairing[C]// In Advances in Cryptololgy - ASIACRYPT'01,LNCS 2248,Springer- Verlag,2001:514-532.
[161]C.Cachin,K.Kursawe,and V.Shoup.Random Oracles in Constantinople:Practical Asynchronous Byzantine Agreement using Cryptography[C]//In Proceedings of the 19th Annual ACM Symposium on Principles of Distributed Computing(PODC'00),ACM Press,2000:123-132.
[162]C.Cachin and U.Maurer.Unconditional Security Against Memory-Bounded Adversaries[C]//In Advances in Cryptology - CRYPTO '97,LNCS 1294,Springer- Verlag,1997:292-306.
[163]C.Cachin and R.Strobl.Asynchronous Group Key Exchange with Failures[C]// In Proceedings of the 23rd Annual ACM Symposium on Principles of Distributed Computing(PODC'04),ACM Press,2004:357-366.
[164]S.Greenberg.An Annotated Bibliography of Computer Supported Cooperative Work[R].ACM SIGCHI Bulletin,23(3):29-62,1991.
[165]S.Greenberg.Computer-Supported Cooperative Work and Groupware:An Introduction to the Special Issues[J].International Journal of Man-Machine Studies,1991,34(2):133-141.
[166]C.G.Gu|¨nther.An Identity-Based Key-Exchange Protocol[C]//In Advances in Cryptology- EUROCRYPT'89,LNCS 434,Springer- Verlag,1990:29-37.
[167]Y.Hitchcock,C.Boyd,and J.M.G.Nieto.Tripartite Key Exchange in the Canetti-Krawczyk Proof Model[C]// In Progress in Cryptology-INDOCRYPT'94,LNCS 3348,Springer-Verlag,2004:17-32.
[168]D.Hofheinz,J.Mu|¨ller-Quade,and R.Steinwandt.Initiator-Resilient Universally Composable Key Exchange[C]//In 8th European Symposium on Research in Computer Security(ESORICS'03),LNCS 2808,Springer-Verlag,2003:61-84.
[169]王育民,何大可.保密学-基础与应用.西安电子科技大学出版社,1990.
[170]梅其祥.抗选择密文攻击公钥密码体制的研究.西南交通大学博士论文,2005.
[171]田海博.会话密钥建立关键技术研究.西安电子科技大学西电博士论文,2006.
[172]蒋军.异构无线网络互联的认证和密钥协商研究.上海交通大学博士论文,2006.
[173]李兴华.无线网络中认证及密钥协商协议的研究.西安电子科技大学西电博士论文,2006.