*(Note on scope: This bibliography attempts to focus upon authentication
protocols, key exchange protocols, key agreement protocols, and authenticated
versions of the latter two. I tend to omit systems that deliberately support
key escrow. Works that discuss design principles and verification for broader
classes of cryptographic protocols are considered fair game. See my
conference key establishment references page* *for citations regarding
multi-party protocols, where more than two non-trusted legitimate parties
are involved.)*

Martin
Abadi, "Explicit communication revisited: Two new attacks on
authentication
protocols" (PostScript),
*IEEE Trans. on Software Eng. *23(3)*, *Mar. 1997, pp. 185-186.

Martin
Abadi and Andrew
D. Gordon,
"A calculus for cryptographic protocols: The spi calculus", to
appear in *Proc. 4th ACM Conf. on Computer and Communications Security,
*Apr. 1997.

Martin
Abadi and Roger M. Needham, "Prudent engineering practice for
cryptographic protocols" (PostScript),
*IEEE Trans. on Software Eng. *22(1), Jan. 1996, pp. 6-15.

Ross J. Anderson
and T. Mark A. Lomas,
"Fortifying key negotiation schemes with poorly chosen passwords",
*Electronics Letters *30(13), Jun. 23, 1994, pp. 1040-1041.

Ross J. Anderson
and Roger M. Needham, "Robustness principles for public key
protocols",
in *Advances in Cryptology -- Proc. Crypto `95, *Springer-Verlag LNCS
963, 1995, pp. 236-247.

Shahram
Bakhtiari, Reihaneh
Safavi-Naini, and Josef
Pieprzyk, "On password-based authenticated key exchange using
collisionful hash functions" (zipped
PostScript), *Advances in Cryptology -- Proc. Australasian Conf.
on Info. Security and Privacy *(ACISP `96)*, *Wollongong, NSW,
Australia, June 24-26, 1996, Springer-Verlag LNCS 1172, pp. 298-309.

Mihir
Bellare and Phillip
Rogaway, "Provably secure session key distribution -- The three
party case" (abstract), in *Proc. 27th ACM Symp. on Theory of
Computing,
*Las Vegas, NV, USA, May 1995, pp. 57-66.

Mihir
Bellare and Phillip
Rogaway, "Random oracles are practical: A paradigm for designing
efficient protocols", in *Proc. 1st ACM Conf. on Computer and
Communications
Security, *Nov. 1993.

Steven M. Bellovin
and Michael
Merritt,
"Augmented encrypted key exchange: A password-based protocol secure
against dictionary attacks and password file compromise", in *Proc.
IEEE Computer Society Symp. on Research in Security and Privacy *(Oakland
`93), Oakland, CA, USA, 1993, pp. ????.

Steven M. Bellovin
and Michael
Merritt,
"Encrypted key exchange: Password-based protocols secure against
dictionary
attacks", in *Proc. IEEE Computer Society Symp. on Research in
Security
and Privacy *(Oakland `92), Oakland, CA, USA, 1992, pp. 72-84.

Steven M. Bellovin
and Michael
Merritt,
"Limitations of the Kerberos authentication system", *Proc.
Winter `91 Usenix Conf., *Dallas, TX, USA, 1991.

R. Bird, I. Gopal, Amir Herzberg, Phillip Janson, S. Kutten, Refik Molva,
and Moti Yung, "Systematic design of two-party authentication
protocols",
*Advances in Cryptology -- Proc. Crypto `91, *Springer-Verlag LNCS
??vol.no.??, ??year??.

R. Bird, I. Gopal, Amir Herzberg, Phillip Janson, S. Kutten, Refik Molva,
and Moti Yung, "Systematic design of a family of attack-resistant
authentication protocols", *IEEE J. on Selected Areas in
Communications
*11(5), June 1993, pp. 679-693.

R. Bird, I. Gopal, Amir Herzberg, Phillip Janson, S. Kutten, Refik Molva,
and Moti Yung, "The Kryptoknight family of light-weight protocols
for authentication and key distribution" (gzipped
PostScript), *IEEE/ACM Trans. on Networking, *??vol.no.??, 1995.

Andrew D. Birrell, "Secure communication using remote procedure
calls", *ACM Trans. on Computer Sys. *3(1), Feb. 1985,
pp. 1-14.

Eric A. Blossom, "The VP1 protocol for voice privacy devices"
(v1.1) (gzipped
PostScript),
*Communication Security Corp., *Dec. 3, 1996. [Diffie-Hellman key
agreement for secure telephony, with voice verification of the ephemeral
public exponentials]

Dan
Boneh,
Richard B. DeMillo, & Richard
Lipton, "On the importance of checking cryptographic protocols
for faults", in *Advances in Cryptology -- Proc. Eurocrypt `97,
*Springer-Verlag LNCS ???, pp. ???.

Dan
Boneh
& Ramarathnam Venkatesan, "Hardness of computing the most
significant
bits of secret keys in Diffie-Hellman and related schemes", in
*Advances
in Cryptology -- Proc. Crypto `96*, Springer-Verlag LNCS ???, pp. ???.
[proposes the Modified Diffie-Hellman protocol, motivated by their results
on the hardness of MSBs of DH agreed keys, for which the ability to compute
the highest order bit of the agreed key is shown to imply the ability to
compute all the bits]

Colin Boyd, "A
class of flexible and efficient key management protocols" (PostScript),
*Proc. 9th IEEE Computer Security Foundations Workshop *(CSFW), 1996,
pp. 2-8.

Colin Boyd &
Wenbo Mao, "On a limitation of BAN logic", in *Advances in
Cryptology -- Proc. Eurocrypt `93, *Lofthus, Norway, Springer-Verlag
LNCS 765, pp. 240-247. [rebutted by van Oorschot at the rump session of
the same conference]

Mike
Burmester,
"On the risk of opening distributed keys", in *Advances in
Cryptology -- Proc. Crypto `94*, Springer-Verlag LNCS 839, -->
-- pp. 308-317.

Michael
Burrows, Martin
Abadi, & Roger M. Needham, "A logic of authentication"
(PostScript),
*DEC SRC Research Report *39, revised Feb. 22, 1990.

Michael
Burrows, Martin
Abadi, & Roger M. Needham, "The scope of a Logic of
Authentication"
(PostScript)
, *Proc. DIMACS Workshop on Distributed Computing and Cryptography,
*Oct.
1989, pp. 119-126.

Charles Cavaiani & Jim
Alves-Foss, "A mutual authenticating protocol with key distribution
in a client/server environment" (HTML),
*ACM Crossroads *2(4), Apr. 1996.

Benny
Chor & Amos Beimel, "Interaction in key distribution
schemes",
in *Advances in Cryptology -- Proc. Crypto `93*, Springer-Verlag LNCS
773, pp. 456-479.

John A. Clark &
Jeremy Jacob, "A
survey of authentication protocol literature" (PostScript),
*manuscript*, Aug. 1, 1996.

John A. Clark &
Jeremy Jacob, "On
the security of recent protocols", in *Info. Processing Letters
*56(3), Nov. 1995, pp. 151-155.

Hadmut Danisch, "The exponential security system TESS: An
identity-based
cryptographic protocol for authenticated key-exchange (E.I.S.S.-Report
1995/4)" (ASCII),
*Internet RFC 1824, *Aug. 1995.

George Davida, Yvo
G. Desmedt, and Rene Peralta, "On the importance of memory resources
in the security of key exchange protocols", in *Advances in Cryptology
-- Proc. Eurocrypt `90*, Springer-Verlag LNCS 473, pp. 11-15.

Dorothy
E. Denning and Giovanni Maria Sacco, "Timestamps in key distribution
protocols", *Comm. of the ACM *24(8), Aug. 1981, pp. 533-536.

Yvo G. Desmedt
and Mike
Burmester,
"Towards practical `proven secure' authenticated key distribution",
*Proc. 1st ACM Conf. on Computer and Communications Security, *Fairfax,
VA, USA, Nov. 3-5, 1993, pp. 228-231.

Yvo G. Desmedt
and Andrew M. Odlyzko,
"A chosen text attack on the RSA cryptosystem and some discrete
logarithm
schemes", *Advances in Cryptology -- Proc. Crypto `85, -->
-- *Springer-Verlag
LNCS 218, 1986, pp. 516-522.

Whitfield Diffie and Martin
E. Hellman, "New directions in cryptography", in *IEEE
Trans. on Info. Theory *IT-22(6), Nov. 1976, pp. 644-654.

Whitfield Diffie, Paul C. van Oorschot, and Michael J. Wiener,
"Authentication
and authenticated key exchanges", *Designs, Codes, and Cryptography
*2(2), 1992, pp. 107-125.

Yun Ding and Patrick Horster, "Why the Kuperee authentication system
fails", *ACM Operating Systems Review *30(2), Apr. 1996, pp.
42-51.

Danny Dolev,
Shimon Even, & Richard
M. Karp, "On the security of ping-pong protocols",
*Information
and Control *55, 1982, pp. 57-68.

Danny Dolev
& Andrew C. Yao, "On
the security of public key protocols", *IEEE Trans. on Info. Theory
*IT-29(2), Mar. 1983, pp. 198-208.

David C. Feldmeier & Philip R. Karn, "UNIX password security:
Ten years later", in Gilles Brassard, ed., *Advances in Cryptology
-- Proc. Crypto `89*, Springer-Verlag LNCS 435, pp. 44-63.

Christian Gehrmann, "Cryptanalysis of the Gemmell and Naor multiround
authentication protocol", *Advances in Cryptology -- Proc. Crypto
`94*, Springer-Verlag LNCS 839, pp. 121-128.

Christian Gehrmann, "Secure multiround authentication
protocols",
*Advances in Cryptology -- Proc. Eurocrypt `95, *Springer-Verlag LNCS
921, pp. 158-167.

Li
Gong, "A security risk of depending on synchronized clocks",
in *ACM Operating Systems Review *26(1), 1992, pp. 49-53.

Li
Gong, "Efficient network authentication protocols: Lower bounds
and optimal implementations", in *Distributed Computing *9(3),
1995.

Li
Gong, "Increasing availability and security of an authentication
service", in *IEEE J. on Selected Areas in Communications *11(5),
June 1993, pp. 657-662.

Li
Gong, "Using one-way functions for authentication", in *ACM
Computer Communications Review *19, 1989, pp. 8-11.

Li
Gong, T. Mark A. Lomas,
Roger M. Needham, and Jerome
H. Saltzer, "Protecting poorly chosen secrets from guessing
attacks",
in *IEEE J. on Selected Areas in Communications *11(5), June 1993,
pp. 648-656.

Li
Gong and Paul Syverson, "Fail-stop protocols: An approach to
designing
secure protocols" (PostScript)
, in *Proc. 5th Intl. Working Conf. on Dependable Computing for Critical
Applications, *Sept. 1995, pp. 44-55.

Li
Gong and David J. Wheeler, "A matrix key distribution scheme",
in *J. Cryptology *2, 1990, pp. 51-59.

Tzonelih Hwang
and Y.H. Chem, "On the security of SPLICE/AS - the authentication
system in WIDE Internet", *Information Processing Letters *53,
1995, pp. 97-101.

Min-Shiang Hwang and Chii-Hwa Lee, "Authenticated key-exchange
in a mobile radio network", to appear in *European Transactions
on Telecommunications*, Oct. 1996.

Tzonelih Hwang,
N.Y. Lee, C.M. Li, M.Y. Ko and Y.H. Chen, "Two attacks on Neuman-
Stubblebine authentication protocols", *Information Processing Letters
*53, 1995, pp. 103-107.

David P. Jablon, "Extended
password methods immune to dictionary attack", to appear in *Proc.
WETICE '97 Enterprise Security Workshop, *Cambridge, MA, USA, June 18-20,
1997.

David P. Jablon, "Strong
password-only authenticated key exchange" (PostScript,
MS Word, RTF), *ACM Computer Communications Review, *Oct. 1996.

John M. Kelsey, Bruce
Schneier, & David
A. Wagner, "Protocol interactions and the chosen protocol
attack",
in *Proc. 1997 Security Protocols Workshop, *Cambridge, U.K.

Timo Kyntaja, "A Logic of Authentication by Burrows, Abadi, and Needham" (HTML), Nov. 7, 1995. [Here's the abstract: "A formal method for describing and analysing authentication protocols was first suggested in late 1980's. Since then the development on the field has moved on extending and changing the semantics of the basic BAN logic. This document gives an introduction to the BAN logic and discusses some of the additions suggested to it."]

Stefan
Lucks, "Open Key Exchange: how to defeat dictionary attacks without
encrypting public keys", in *Proc. 1997 Security Protocols Workshop,
*Cambridge, U.K.

T. Matsumoto, Y. Takashima, & Hideki
Imai, "On seeking smart public-key-distribution systems",
*Trans. IECE of Japan *E69(2), 1986, pp. 99-106.

Ueli
M. Maurer, "Towards the equivalence of breaking the Diffie-Hellman
protocol and computing discrete algorithms", in *Advances in
Cryptology
-- Proc. Crypto `94*, Springer-Verlag LNCS 839, pp. 271-281.

Alfred
Menezes,
Paul C. van Oorschot, & Scott Vanstone, "Chapter 12: Key
establishment
protocols", in *Handbook of Applied Cryptography, *CRC Press,
ISBN 0-8493-8523-7, 1997, pp. 489-541.

Robert Morris & Ken Thompson, "Password security: A case
history",
in *Communications of the ACM *22(11), Nov. 1979, pp. 594-597.

James Nechvatal, "Public-key cryptography" (ASCII),
*NIST Special Publication 800-2*, Apr. 1991. [According to the preface,
"[t]his publication presents a state-of-the-art survey of public-
key cryptography circa 1988 - 1990"]

Sarvar Patel, "Information leakage in EKE", *DIMACS Workshop
on Network Threats, *New Brunswick, NJ, USA, Dec. 4-6, 1996.

Sarvar Patel, "Number theoretic attacks on secure password
schemes",
in *Proc. 1997 IEEE Symp. on Security and Privacy *(Oakland `97)*,
*Oakland, CA, USA, May 5-7, 1997.

Phillip
Rogaway and Mihir
Bellare, "Entity authentication and key distribution"
(abridged),
in *Advances in Cryptology -- Proc. Crypto `93*, Springer-Verlag LNCS
773, pp. 232-249.

Renate Scheidler, Johannes A. Buchmann, and Hugh C. Williams,
"Implementation
of a key exchange protocol using some real quadratic fields",
*Advances
in Cryptology -- Proc. Eurocrypt `90*, Springer-Verlag LNCS 473, pp.
98-109.

Bruce Schneier,
"Chapter 22: Key-exchange algorithms", in *Applied Cryptography
*(2nd ed.), John Wiley & Sons, ISBN 0-4711-1709-9, 1996, pp. 513-525.
[includes a description of Eric
Hughes' DH protocol variant from the Crypto `94 rump session]

Richard Schroeppel, Hilarie
Orman, Sean O'Malley, and Oliver Spatscheck, "Fast key exchange
with elliptic curve systems", in *Advances in Cryptology -- Proc.
Crypto `95, *Springer-Verlag LNCS 963, pp. 43-56. [fast implementation
of a key agreement analogous to Diffie-Hellman in the group of points on
an elliptic curve of the form *y ^{2} + xy = x^{3} +
ax^{2}
+ b *over GF(2

Eugene H. Spafford, "The Internet worm program: An analysis",
in *ACM Computer Communications Review *19(1), Jan. 1989, pp. 17-57.

Michael Steiner, Gene
Tsudik, and Michael
Waidner,
"Refinement and extension of Encrypted Key Exchange", *ACM
Operating Systems Review *(OSR) 29(3), 1995, pp. 22-30.

Christoph Thiel, Johannes A. Buchmann, and Ingrid Biehl,
"Cryptographic
protocols based on discrete logarithms in real-quadratic orders",
in *Advances in Cryptology -- Proc. Crypto `94*, Springer-Verlag LNCS
839, pp. 56-60.

Gene Tsudik and Els
van Herreweghen, "Some remarks on Protecting Weak Keys and Poorly-Chosen
Secrets from Guessing Attacks", in *Proc. IEEE Symp. on Reliable
Distributed Systems*, Oct. 1993.

David Vincenzetti, Stefano Taino, and Fabio Bolognesi, "STEL: secure telnet" (HTML), U. Milan, 1995.

David A. Wagner
& Bruce Schneier,
"Analysis of the SSL 3.0 protocol", in *Proc. 2nd Usenix Workshop
on Electronic Commerce, *Nov. 1996.

Maurice V. Wilkes, "Chapter 9: Operation and managerial aspects
of time sharing", in *Time-Sharing Computer Systems *(2nd ed.),
American Elsevier, ISBN 0-444-19583-1, 1972, pp. 129-140. [discusses Roger
Needham's use of a one-way function to protect passwords stored in a
host]

Thomas
J. Wu, "The Secure Remote Password protocol" (PostScript),
to appear in *Proc. 1998 Internet Society Symp. on Network and Distributed
System Security *(ISOC SNDSS `98).

Tatu Ylonen, "SSH (secure shell) remote login protocol" (ASCII), Helsinki U. Tech.

Compiled by Lewis McCarthy, based upon citations harvested from email, Usenet, WWW pages, newspapers, magazines, conference proceedings, journals, books, and word of mouth.

Cited authors who do not appear to have web pages (hence those pages aren't listed above!) :

- Whitfield Diffie (at Sun Microsystems)
- John M. Kelsey (at Counterpane Systems)
- Roger M. Needham (at Cambridge U.)
- Paul C. van Oorschot (at Entrust Technologies)
- Sarvar Patel (at Bellcore)
- Paul Syverson (at U.S. NRL ITD CHACS)
- Scott Vanstone (at U. of St. Jerome's College)

Last substantive update: July 15, 1997