Notes

References

[1] M. Abadi and P. Rogaway. Reconciling two views of cryptography (the computational
soundness of formal encryption). Journal of Cryptology, 15(2):103{127, 2002.

[2] B. Aboba, L. Blunk, J. Vollbrecht, and J. Carlson. RFC 3748: Extensible Authenti-
cation Protocol (EAP), 2004.

[3] G.-J. Ahn, D. Shin, and S.-P. Hong. Information assurance in federated identity
management: Experimentations and issues. In X. Zhou, S. Y. W. Su, M. P. Papa-
zoglou, M. E. Orlowska, and K. G. Je®ery, editors, Web Information Systems | WISE
2004, 5th International Conference on Web Information Systems Engineering, Bris-
bane, Australia, November 22-24, 2004, Proceedings, number 3306 in Lecture Notes in
Computer Science, pages 79{90. Springer Verlag, Berlin, November 2004.

[4] M. A. Al-Meaither and C. J. Mitchell. A secure GSM-based Murabaha transaction.
In Proceedings of the 1st International Conference on Information & Communication
Technologies from Theory to Applications (ICTTA), pages 77{78. IEEE Press, April
2004.

[5] American National Standards Institute. ANSI 9.84-2003: Biometric Information
Management and Security for the Financial Services Industry, 2003.

[6] T. Aura and P. Nikander. Stateless connections. In Y. Han, T. Okamoto, and S. Quing,
editors, ICICS '97: Proceedings of the First International Conference on Information
and Communication Security, volume 1334 of Lecture Notes in Computer Science,
pages 87{97, London, UK, 1997. Springer-Verlag.

[7] A. Back, U. MÄoller, and A. Stiglic. Tra±c analysis attacks and trade-o®s in anonymity
providing systems. In I. S. Moskowitz, editor, Information Hiding, 4th International
Workshop, IHW 2001, volume 2137 of Lecture Notes in Computer Science, pages 245{
257. Springer Verlag, Berlin, 2001.

[8] M. Backes and B. P¯tzmann. A cryptographically sound security proof of the
Needham-Schroeder-Lowe public-key protocol. IEEE Journal on Selected Areas in
Communications, 22(10):2075{2086, 2004.

[9] B. Balache®, L. Chen, S. Pearson, D. Plaquin, and G. Proudler. Trusted Computing
Platforms: TCPA Technology in Context. Prentice-Hall, 2003.

[10] G. Barish and K. Obraczka. World wide web caching: Trends and techniques. IEEE
Communications Magazine, 38(5):178{185, May 2000.

[11] M. Bellare, R. Canetti, and H. Krawczyk. Pseudorandom functions revisited: The
cascade construction and its concrete security. In Proceedings of the 37th Annual
Symposium on the Foundations of Computer Science (FOCS), pages 514{523. IEEE,
1996.

[12] M. Bellare, R. Canetti, and H. Krawczyk. A modular approach to the design and
analysis of authentication and key exchange protocols. In Proceedings of the 30th
Annual Symposium on the Theory of Computing, pages 419{428. ACM, 1998.

[13] M. Bellare, A. Desai, E. Jokipii, and P. Rogaway. A concrete security treatment of
symmetric encryption. In Proceedings of the 38th Annual Symposium on Foundations
of Computer Science (FOCS), pages 394{403. IEEE Computer Society, 1997.

[14] M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway. Relations among notions
of security for public-key encryption schemes. In H. Krawczyk, editor, Advances in
Cryptology { CRYPTO 1998, volume 1462 of Lecture Notes in Computer Science,
pages 26{45. Springer-Verlag, 1998.

[15] M. Bellare and C. Namprempre. Authenticated encryption: Relations among notions
and analysis of the generic composition paradigm. In T. Okamoto, editor, Advances in
Cryptology | Asiacrypt 2000, Proceedings, volume 1976 of Lecture Notes in Computer
Science, pages 531{545. Springer-Verlag, Berlin, 2000.

[16] M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing
e±cient protocols. In ACM Conference on Computer and Communications Security,
pages 62{73. ACM, 1993.

[17] M. Bellare and P. Rogaway. Entity authentication and key distribution. In D. Stinson,
editor, Advances in Cryptology { CRYPTO 1993, volume 773 of Lecture Notes in
Computer Science, pages 232{249. Springer-Verlag, Berlin, 1994.

[18] M. Bellare and P. Rogaway. Provably secure session key distribution: The three party
case. In Proceedings of the 27th Annual ACM Symposium on Theory of Computing
STOC, pages 57{66. ACM, 1995.

[19] M. Bellare, H. Shi, and C. Zhang. Foundations of group signatures: The case of
dynamic groups. In A. Menezes, editor, Topics in Cryptology - CT-RSA 2005, The
Cryptographers' Track at the RSA Conference 2005, San Francisco, CA, USA, Feb-
ruary 14-18, 2005, Proceedings, volume 3376 of Lecture Notes in Computer Science,
pages 136{153. Springer, 2005.

[20] S. M. Bellovin and M. Merritt. Limitations of the Kerberos authentication system. In
USENIX Conference Proceedings, pages 253{267, Dallas, TX, Winter 1991. USENIX.
[21] T. Berners-Lee, L. Masinter, and M. M. (editors). Uniform Resource Locators, 2004.

[22] O. Berthold and M. KÄohntopp. Identity management based on P3P. In H. Federrath,
editor, Designing Privacy Enhancing Technologies, International Workshop on Design
Issues in Anonymity and Unobservability, July 2000, number 2009 in Lecture Notes
in Computer Science, pages 141{160. Springer-Verlag, Berlin, 2001.

[23] A. Biryukov, J. Lano, and B. Preneel. Cryptanalysis of the alleged SecurID hash
function. Cryptology ePrint Archive, Report 2003/162, 2003. http://eprint.iacr.
org/.

[24] S. Blake-Wilson and A. Menezes. Authenticated Di±e-Hellman key agreement pro-
tocols. In S. E. Tavares and H. Meijer, editors, Selected Areas in Cryptography '98,
SAC'98, Kingston, Ontario, Canada, August 17-18, 1998, Proceedings, volume 1556
of Lecture Notes in Computer Science, pages 339{361. Springer Verlag, Berlin, 1999.

[25] C. W. Blanchard. Wireless security. In R. Temple and J. Regnault, editors, Internet
and wireless security, chapter 8, pages 147{162. IEE, 2002.

[26] A. Boldyreva. E±cient threshold signature, multisignature and blind signature
schemes based on the gap-Di±e-Hellman-group signature scheme. In Y. Desmedt,
editor, International Workshop on Practice and Theory in Public Key Cryptography {
PKC 2003, volume 2567 of Lecture Notes in Computer Science, pages 31{46. Springer-
Verlag, 2003.

[27] C. Boyd. A framework for design of key establishment protocols. In J. Pieprzyk and
J. Seberry, editors, Australasian Conference on Information Security and Privacy,
volume 1172 of Lecture Notes in Computer Science, pages 146{157. Springer Verlag,
Berlin, 1996.

[28] C. Boyd and W. Mao. On a limitation of BAN logic. In T. Helleseth, editor, Advances
in Cryptology | EUROCRYPT '93, volume 765 of Lecture Notes in Computer Science,
pages 240{247. Springer-Verlag, Berlin, 1994.

[29] C. Boyd and A. Mathuria. Key establishment protocols for secure mobile communi-
cations: A selective survey. In C. Boyd and E. Dawson, editors, Information Security
and Privacy: Third Australasian Conference, ACISP'98, Brisbane, Australia, July
1998. Proceedings, volume 1438 of Lecture Notes in Computer Science, pages 344{355.
Springer Verlag, Berlin, 1998.

[30] C. Boyd and A. Mathuria. Protocols for Authentication and Key Establishment.
Springer Verlag, 2003.

[31] S. Brands. Rethinking Public Key Infrastructures and Digital Certi¯cates | Building
in Privacy. The MIT Press, Cambridge, Massachusetts, 2000.

[32] D. Branstad. Security aspects of computer networks. In AIAA Computer Network
Systems Conference, Huntsville, Alabama, April 1973. AIAA Paper No. 73-427.

[33] E. Brickell, J. Camenisch, and L. Chen. Direct anonymous attestation. In CCS '04:
Proceedings of the 11th ACM Conference on Computer and Communications Security,
pages 132{145, New York, NY, USA, 2004. ACM Press.

[34] G. Brown. The use of hardware tokens for identity management. Information Security
Technical Report, 9(1):22{25, January{March 2004.

[35] M. Burrows, M. Abadi, and R. Needham. A logic of authentication. Technical Re-
port 39, Digital Systems Research Center, February 1989.

[36] J. Camenisch. Better privacy for trusted computing platforms: (extended abstract).
In P. Samarati, D. Gollmann, and R. Molva, editors, Computer Security - ESORICS
2004: 9th European Symposium on Research in Computer Security, Sophia Antipo-
lis, France, September 13 - 15, 2004. Proceedings, volume 3193 of Lecture Notes in
Computer Science, pages 73{88, 2004.

[37] J. Camenisch and A. Lysyanskaya. An e±cient system for non-transferable anonymous
credentials with optional anonymity revocation. In B. P¯tzmann, editor, Advances in Cryptology | EUROCRYPT 2001, International Conference on the Theory and Appli-
cation of Cryptographic Techniques, Innsbruck, Austria, May 6-10, 2001, Proceedings,
volume 2045 of Lecture Notes in Computer Science, pages 93{118. Springer Verlag,
Berlin, 2001.

[38] J. Camenisch and A. Lysyanskaya. Dynamic accumulators and application to e±cient
revocation of anonymous credentials. In M. Yung, editor, Advances in Cryptology |
CRYPTO 2002, 22nd Annual International Cryptology Conference, Santa Barbara,
California, USA, August 18-22, 2002, Proceedings, volume 2442 of Lecture Notes in
Computer Science, pages 61{76. Springer Verlag, Berlin, 2002.

[39] J. Camenisch and A. Lysyanskaya. Signature schemes and anonymous credentials from
bilinear maps. In M. Franklin, editor, Proceedings of the 24th Annual International
Cryptology Conference, Santa Barbara, California, USA, August 15-19 | CRYPTO
2004, volume 3152 of Lecture Notes in Computer Science, pages 56{72. Springer-
Verlag, Berlin, 2004.

[40] J. Camenisch and E. Van Herreweghen. Design and implementation of the idemix
anonymous credential system. In Proceedings of the 9th ACM Conference on Computer
and Communications Security, pages 21{30. ACM Press, New York, 2002.

[41] R. Canetti. Universally composable security: a new paradigm for cryptographic pro-
tocols. In Proceedings of the 42nd IEEE Symposium on Foundations of Computer
Science (FOCS), pages 136{145. IEEE Computer Society, 2001.

[42] R. Canetti, O. Goldreich, and S. Halevi. The random oracle methodology, revisited. In
Proceedings of the 13th Annual ACM Symposium on the Theory of Computing, pages
209{218. ACM, 1993.

[43] R. Canetti and H. Krawczyk. Analysis of key-exchange protocols and their use for
building secure channels. In B. P¯tzmann, editor, Advances in Cryptology { EURO-
CRYPT 2001, volume 2045 of Lecture Notes in Computer Science, pages 453{474.
Springer-Verlag, 2001.

[44] R. Canetti and H. Krawczyk. Universally composable notions of key exchange and
secure channels. In L. Knudsen, editor, Advances in Cryptology { EUROCRYPT 2002,
volume 2332 of Lecture Notes in Computer Science, pages 337{351. Springer-Verlag,
2002.

[45] D. Chaum. Untraceable electronic mail, return addresses, and digital pseudonyms.
Communications of the ACM, 24(2):84{90, 1981.

[46] D. Chaum. Blind signatures for untraceable payments. In R. Rivest, A. Sherman, and
D. Chaum, editors, Advances in Cryptology { CRYPTO 82, pages 199{203. Plenum
Press, 1983.

[47] D. Chaum. Blind signature system. In D. Chaum, editor, Advances in Cryptology {
CRYPTO 83, page 153. Plenum Press, 1984.

[48] D. Chaum. Security without identi¯cation: Transaction systems to make big brother
obsolete. Communications of the ACM, 28(10):1030{1044, October 1985.

[49] D. Chaum. Privacy protected payments: Unconditional payer and/or payee untrace-
ability. In D. Chaum and I. Schaumueller-Bichl, editors, SMART CARD 2000, pages
69{93. Elsevier Science Publishers B.V., 1989.

[50] D. Chaum. Showing credentials without identi¯cation: Transferring signatures be-
tween unconditionally unlinkable pseudonyms. In J. Seberry and J. Pieprzyk, editors,
Advances in Cryptology { AUSCRYPT 90, volume 453 of Lecture Notes in Computer
Science, pages 246{264. Springer-Verlag, Berlin, 1990.

[51] D. Chaum. One-show blind signature systems. U.S. Patent ser. no. 4,987,593. Filed
April 1990. Continuation of abandoned application Ser. No. 07/168,802, ¯led March
1988, January 1991.

[52] D. Chaum. Unpredictable blind signature systems. U.S. Patent serial number 4,991,210.
Filed May 1989., February 1991.

[53] D. Chaum. Achieving electronic privacy. Scienti¯c American, 267(2):96{101, August
1992.

[54] D. Chaum and J.-H. Evertse. A secure and privacy-protecting protocol for transmit-
ting personal information between organizations. In A. M. Odlyzko, editor, Advances
in Cryptology | CRYPTO '86, Santa Barbara, California, USA, 1986, Proceedings,
number 263 in Lecture Notes in Computer Science, pages 118{168. Springer Verlag,
Berlin, 1987.

[55] D. Chaum, A. Fiat, and M. Naor. Untraceable electronic cash. In S. Goldwasser, editor,
Advances in Cryptology { CRYPTO 88, volume 403 of Lecture Notes in Computer
Science, pages 319{327. Springer-Verlag, Berlin, 1988.

[56] L. Chen. Access with pseudonyms. In E. Dawson and J. D. Golic, editors, Cryp-
tography: Policy and Algorithms, International Conference, Brisbane, Queensland,
Australia, July 3-5, 1995, Proceedings, number 1029 in Lecture Notes in in Computer
Science, pages 232{243. Springer Verlag, Berlin, 1995.

[57] J. Claessens, B. Preneel, and J. Vandewalle. Combining World Wide Web and wireless
security. Informatica, 26(2):123{132, 2002.

[58] S. Clau¼ and M. KÄohntopp. Identity management and its support of multilateral
security. Comput. Networks, 37(2):205{219, 2001.

[59] Compaq, Hewlett-Packard, Intel, Lucent, Microsoft, NEC, Philips. Universal Serial
Bus Speci¯cation, 2nd edition, April 2000.

[60] Computer Security Center of the Department of Defense, Meade, Fort George G.,
Maryland 20755. Department of Defense Password Management Guideline, April 1985.
CSC-STD-002-85.

[61] S. Contini and Y. L. Yin. Improved cryptanalysis of SecurID. Cryptology ePrint
Archive, Report 2003/205, 2003.

[62] B. P. Cosell, P. R. Johnson, J. H. Malman, R. E. Schantz, J. Sussman, R. H. Thomas,
and D. C. Walden. An operational system for computer resource sharing. In SOSP
'75: Proceedings of the ¯fth ACM symposium on operating systems principles, pages
75{81. ACM Press, 1975.

[63] I. Damgºard. Payment systems and credential mechanisms with provable security
against abuse by individuals. In S. Goldwasser, editor, Advances in Cryptology |
CRYPTO '88: Proceedings, number 403 in Lecture Notes in Computer Science, pages
328{335. Springer Verlag, 1990.

[64] D. W. Davies and W. L. Price. Security for computer networks: an introduction to
data security in teleprocessing and electronic funds transfer. John Wiley & Sons, Inc.,
2nd edition, 1989.

[65] J. De Clercq. Single sign-on architectures. In G. I. Davida, Y. Frankel, and O. Rees,
editors, Infrastructure Security, International Conference, InfraSec 2002 Bristol, UK,
October 1-3, 2002, Proceedings, volume 2437 of Lecture Notes in Computer Science,
pages 40{58. Springer Verlag, 2002.

[66] Y. Demchenko. Virtual organisations in computer grids and identity management.
Information Security Technical Report, 9(1):59{76, January{March 2004.

[67] A. Dent and C. Mitchell. User's Guide to Cryptography and Standards. Artech House,
2005.

[68] C. D¶³az, S. Seys, J. Claessens, and B. Preneel. Towards measuring anonymity. In
R. Dingledine and P. F. Syverson, editors, Proceedings of Privacy Enhancing Tech-
nologies, 2nd International Workshop, PET 2002, number 2482 in Lecture Notes in
Computer Science, pages 54{68. Springer-Verlag, Berlin, 2002.

[69] W. Di±e and M. E. Hellman. New directions in cryptography. IEEE Transactions on
Information Theory, IT-22(6):644{654, 1976.

[70] D. Dolev and A. C. Yao. On the security of public key protocols. IEEE Transactions
on Information Theory, 29(2):198{208, March 1983.

[71] J. R. Douceur. The Sybil attack. In P. Druschel, F. Kaashoek, and A. Rowstron, ed-
itors, Peer-to-Peer Systems: First International Workshop, IPTPS 2002, Cambridge,
MA, USA, March 7-8, volume 2429 of Lecture Notes in Computer Science, pages
251{260. Springer-Verlag, Berlin, 2002.

[72] J. Edwards. Single sign-on technology streamlines network access. Software Magazine,
13(17):35{42, 1993.

[73] Electronic Industries Alliance. EIA232E: Interface between Data Terminal Equipment
and Data Circuit Terminating Equipment employing serial binary data interchange,
1991.

[74] J. H. Ellis. The possibility of secure non-secret digital encryption. Report, CESG,
January 1970.

[75] EMV. EMV2000 Integrated Circuit Card Speci¯cation for Payment Systems Version
4.0 | Book 1: Application Independent ICC to Terminal Interface Requirements,
December 2000.

[76] EMV. EMV2000 Integrated Circuit Card Speci¯cation for Payment Systems Version
4.0 | Book 2: Security and Key Management, December 2000.

[77] EMV. EMV2000 Integrated Circuit Card Speci¯cation for Payment Systems Version
4.0 | Book 3: Application Speci¯cation, December 2000.

[78] EMV. EMV2000 Integrated Circuit Card Speci¯cation for Payment Systems Version
4.0 | Book 4: Cardholder, Attendant and Acquirer Interface Requirements, December
2000.

[79] European Telecommunications Standards Institution (ETSI). Digital cellular telecom-
munications system (Phase 2+); Security aspects (GSM 02.09 version 8.0.1), June
2001.

[80] European Telecommunications Standards Institution (ETSI). Digital cellular telecom-
munications system (Phase 2+); Security related network functions (GSM 03.20 ver-
sion 8.1.0), July 2001.

[81] D. Flanagan. Java in a Nutshell. O'Reilly, 3rd edition, November 1999.

[82] W. Ford and M. Baum. Secure Electronic Commerce. Prentice Hall, 1996.

[83] J. Franks, P. Hallam-Baker, J. Hostetler, S. Lawrence, P. Leach, A. Luotonen, and
L. Stewart. RFC 2617: HTTP Authentication: Basic and Digest Access Authentica-
tion. Internet Engineering Task Force, June 1999.

[84] S. Galbraith and W. Mao. Invisibility and anonymity of undeniable and con¯rmer
signatures. In M. Joye, editor, Topics in Cryptology - CT-RSA 2003, The Cryptog-
raphers' Track at the RSA Conference 2003, San Francisco, CA, USA, April 13-17,
2003, Proceedings, volume 2612 of Lecture Notes in Computer Science, pages 80{97.
Springer, 2003.

[85] R. Ganesan. Yaksha: augmenting Kerberos with public key cryptography. In SNDSS
'95: Proceedings of the 1995 Symposium on Network and Distributed System Security
(SNDSS'95), pages 132{143, Washington, DC, USA, 1995. IEEE Computer Society.

[86] M. Ghanbari, C. Hughes, M. Sinclair, and J. Eade. Principles of Performance En-
gineering for Telecommunication and Information Systems. Institution of Electrical
Engineers, 1997.

[87] O. Goldreich. Randomness, interactive proofs, and zero-knowledge { a survey. In
R. Herken, editor, The Universal Turing Machine: A Half Century Survey, pages
377{405. Oxford University Press, 1988.

[88] O. Goldreich, S. Micali, and A. Wigderson. Proofs that yield nothing but their valid-
ity or all languages in np have zero-knowledge proof systems. Journal of the ACM,
38(3):690{728, 1991.

[89] D. M. Goldschlag, M. G. Reed, and P. F. Syverson. Onion routing for anonymous
and private internet connections. Communications of the ACM, 42(2):84{88, January
1999.

[90] S. Goldwasser, S. Micali, and R. L. Rivest. A digital signature scheme secure against
adaptive chosen-message attacks. SIAM J. Comput., 17(2):281{308, 1988.

[91] S. Gritzalis, D. Spinellis, and P. Georgiadis. Security protocols over open networks
and distributed systems: Formal methods for their analysis, design, and veri¯cation.
Computer Communications, 22(8):697{709, May 1999.

[92] T. Gross. Security analysis of the SAML single sign-on browser/artifact pro¯le. In
Proceedings of the 19th Annual Computer Security Applications Conference, pages
298{307. IEEE Press, December 2003.

[93] T. Gross and B. P¯tzmann. Proving a WS-federation passive requestor pro¯le. In
ACM Secure Web Services Workshop. ACM Press, 2004. to appear.

[94] M. F. Grubb and R. Carter. Single sign-on and the system administrator. In Proceed-
ings of the Twelfth Systems Administration Conference (LISA 98). Usenix, 1998.

[95] M. Hansen, P. Berlich, J. Camenisch, S. Clau, A. P¯tzmann, and M.Waidner. Privacy-
enhancing identity management. Information Security Technical Report, 9(1):35{44,
January{March 2004.

[96] S. M. Hansen, J. Skriver, and H. R. Nielson. Using static analysis to validate the saml
single sign-on protocol. In WITS '05: Proceedings of the 2005 workshop on Issues in
the theory of security, pages 27{40, New York, NY, USA, 2005. ACM Press.

[97] IEEE. IEEE 1284.1 Standard for Information TechnologyTransport Independent Print-
er/System Interface (TIP/SI), 1997.

[98] IEEE. Standard 802.11b-1999/Cor 1-2001(Corrigendum to IEEE Std 802.11b-1999),
1999-2001.

[99] Internet Engineering Task Force. RFC 1510: The Kerberos Network Authentication
Service (V5), September 1993.

[100] Internet Engineering Task Force. RFC 2898: PKCS #5: Password-Based Cryptogra-
phy Speci¯cation Version 2.0, September 2000.

[101] Internet Engineering Task Force. RFC 2821: Simple Mail Transfer Protocol, April
2001.

[102] Internet Engineering Taskforce. Extensible Authentication Protocol Method for GSM
Subscriber Identity Modules (EAP-SIM), December 2004. work in progress.

[103] L. Ishitani, V. Almeida, and W. M. Jr. Masks: Bringing anonymity and personalization
together. IEEE Security and Privacy, 1(3):18{23, May{June 2003.

[104] ITU-T Recommendation X.509. Information technology | Open Systems Intercon-
nection | The Directory: Public-key and attribute certi¯cate frameworks, 2000.

[105] B. Ives, K. R. Walsh, and H. Schneider. The domino e®ect of password reuse. Com-
munications of the ACM, 47(4):75{78, April 2004.

[106] U. Jendricke and D. G. tom Markotten. Usability meets security | the identity-
manager as your personal security assistant for the internet. In Proceedings of the 16th
Annual Computer Security Applications Conference, pages 344{355. IEEE Computer
Society, 2000.

[107] J. Jeong, D. Shin, D. Shin, and K. Moon. Java-based single sign-on library supporting
SAML for distributed web services. In J. X. Yu, X. Lin, H. Lu, and Y. Zhang, edi-
tors, Advanced Web Technologies and Applications, 6th Asia-Paci¯c Web Conference,
APWeb 2004, Hangzhou, China, April 14-17, 2004, volume 3007 of Lecture Notes in
Computer Science, pages 891{894. Springer Verlag, Berlin, 2004.

[108] A. J¿sang and M. A. Patton. User interface requirements for authentication of com-
munication. In CRPITS '18: Proceedings of the Fourth Australian user interface
conference on User interfaces 2003, pages 75{80, Darlinghurst, Australia, Australia,
2003. Australian Computer Society, Inc.

[109] W. K. Josephson, E. G. Sirer, and F. B. Schneider. Peer-to-peer authentication with
a distributed single sign-on service. In G. M. Voelker and S. Shenker, editors, Peer-to-
Peer Systems III, Third International Workshop, IPTPS 2004, La Jolla, CA, USA,
February 26-27, 2004, Revised Selected Papers, volume 3279 of Lecture Notes in Com-
puter Science, pages 250{258. Springer, 2005.

[110] A. Juels, M. Luby, and R. Ostrovsky. Security of blind digital signatures. In B. S.
Kaliski, editor, Advances in Cryptology { CRYPTO '97, volume 1294 of Lecture Notes
in Computer Science, pages 150{164, London, UK, 1997. Springer-Verlag.

[111] J. Katz and M. Yung. Complete characterization of security notions for probabilistic
private-key encryption. In STOC '00: Proceedings of the thirty-second annual ACM
symposium on theory of computing, pages 245{254. ACM Press, 2000.

[112] C. Kaufman, R. Perlman, and M. Speciner. Network Security: Private Communication
in a Public World. Prentice Hall, 2nd edition, 2002.

[113] R. A. Kemmerer, C. Meadows, and J. K. Millen. Three systems for cryptographic
protocol analysis. Journal of Cryptology, 7(2):79{130, 1994.

[114] S. T. Kent. Encryption-based protection protocols for interactive user-computer com-
munication. Laboratory for Computer Science Technical Report 162, Massachusetts
Institute of Technology, May 1976.

[115] S. T. Kent. Encryption-based protection for interactive user/computer communication.
In Proceedings of the ¯fth symposium on data communications, pages 5.7{5.13. ACM
Press, 1977.

[116] R. Khare and S. Lawrence. Upgrading to TLS Within HTTP/1.1, 2000.

[117] V. Khu-Smith and C. Mitchell. Using GSM to enhance e-commerce security. In
Proceedings of the Second ACM International Workshop on Mobile Commerce (WMC
'02), pages 75{81, New York, 2002. ACM Press.

[118] N. Koblitz and A. Menezes. Another look at \provable security". Cryptology ePrint
Archive, Report 2004/152, 2004. http://eprint.iacr.org/.

[119] J. Kohl, B. Neuman, and T. Ts'o. The evolution of the Kerberos authentication
service. In Distributed Open Systems, pages 78{94. IEEE Computer Society Press,
1994.

[120] D. P. Kormann and A. D. Rubin. Risks of the Passport single signon protocol. In
Proceedings of the 9th international World Wide Web conference on computer networks
: the international journal of computer and telecommunications networking, pages 51{
58, Amsterdam, The Netherlands, The Netherlands, 2000. North-Holland Publishing
Co.

[121] H. Krawczyk. Simple forward-secure signatures from any signature scheme. In CCS
'00: Proceedings of the 7th ACM conference on computer and communications security,
pages 108{115, New York, NY, USA, 2000. ACM Press.

[122] L. Law, A. Menezes, M. Qu, J. Solinas, and S. Vanstone. An e±cient protocol for
authenticated key agreement. Des. Codes Cryptography, 28(2):119{134, 2003.

[123] C.-C. Lee, W.-P. Yang, and M.-S. Hwang. Untraceable blind signature schemes based
on discrete logarithm problem. Fundam. Inf., 55(3-4):307{320, 2003.

[124] J.-Y. Lee, J. H. Cheon, and S. Kim. An analysis of proxy signatures: Is a secure
channel necessary? In M. Joye, editor, Topics in Cryptology - CT-RSA 2003, The
Cryptographers' Track at the RSA Conference 2003, San Francisco, CA, USA, April
13-17, 2003, Proceedings, volume 2612 of Lecture Notes in Computer Science, pages
68{79. Springer, 2003.

[125] B. N. Levine, M. Reiter, C. Wang, and M. Wright. Stopping timing attacks in low-
latency mix-based systems. In A. Juels, editor, Proceedings of Financial Cryptography,
8th International Conference, FC 2004, Key West, FL, USA, February 9-12, volume
3110 of Lecture Notes in Computer Science. Springer, Berlin, 2004.

[126] B. Li, S. Ge, T. Wo, and D. Ma. Research and implementation of single sign-on
mechanism for ASP pattern. In H. Jin, Y. Pan, N. Xiao, and J. Sun, editors, Grid and
Cooperative Computing - GCC 2004: Third International Conference, Wuhan, China,
October 21-24, 2004. Proceedings, volume 3251 of Lecture Notes in Computer Science,
pages 161{166. Springer, 2004.

[127] Liberty Alliance. Identity Systems and Liberty Speci¯cation, version 1.1, Interoper-
ability, January 2003.

[128] Liberty Alliance. Liberty Architecture Glossary v.1.2-04, April 2003.

[129] Liberty Alliance. Liberty Authentication Context Speci¯cation v.1.2-05, April 2003.

[130] Liberty Alliance. Liberty ID-FF Architecture Overview v.1.2-03, April 2003.

[131] Liberty Alliance. Liberty ID-FF Bindings and Pro¯les Speci¯cation v.1.2-08, April
2003.

[132] Liberty Alliance. Liberty ID-FF Implementation Guidelines v.1.2-02, April 2003.

[133] Liberty Alliance. Liberty ID-FF Protocols and Schema Speci¯cation v.1.2-08, April
2003.

[134] M. Linden and I. Vilpola. An empirical study on the usability of logout in a single
sign-on system. In R. H. Deng, F. Bao, H. Pang, and J. Zhou, editors, Proceedings
of the First Information Security Practice and Experience Conference (ISPEC 2005),
volume 3439 of Lecture Notes in Computer Science, pages 243{254. Springer Verlag,
Berlin, 2005.

[135] G. Lowe. An attack on the Needham-Schroeder public-key authentication protocol.
Inf. Process. Lett., 56(3):131{133, 1995.

[136] G. Lowe. Breaking and ¯xing the Needham-Schroeder public-key protocol using FDR.In T. Margaria and B. Ste®en, editors, Tools and Algorithms for Construction and Analysis of Systems, Second International Workshop, TACAS '96, Passau, Germany,March 27-29, 1996, Proceedings, volume 1055 of Lecture Notes in Computer Science,pages 147{166. Springer-Verlag, 1996.

[137] A. Lysyanskaya. Signature schemes and applications to cryptographic protocol design.PhD thesis, Massachusetts Institute of Technology, Cambridge, Massachusetts, September 2002.

[138] A. Lysyanskaya, R. L. Rivest, A. Sahai, and S. Wolf. Pseudonym systems. In H. M.Heys and C. M. Adams, editors, Selected Areas in Cryptography, 6th Annual International Workshop, SAC'99, Kingston, Ontario, Canada, August 9-10, 1999, Proceedings, volume 1758 of Lecture Notes in Computer Science, pages 184{199. Springer Verlag, Berlin, 2000.

[139] W. Mao. Modern Cryptography: Theory and Practice. Prentice Hall PTR, 2003.

[140] C. Meadows. Applying formal methods to the analysis of a key management protocol.Journal of Computer Security, 1(1):5{36, 1992.

[141] A. Menezes, M. Qu, and S. Vanstone. Some new key agreement protocols providing mutual implicit authentications. Proceedings of the 2nd Workshop on Selected Areas in Cryptography (SAC'95), Carleton University, Ottawa, Canada, May 1995, pages 22{32, May 1995.

[142] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of Applied Cryptography. CRC Press, Boca Raton, 1997.

[143] R. C. Merkle. Secure communications over insecure channels. Commun. ACM,
21(4):294{299, 1978.

[144] Microsoft. Microsoft .NET Passport Review Guide, November 2002.

[145] S. Nanavati, M. Thieme, and R. Nanavati. Biometrics: Identity Veri¯cation in a Networked World. Wiley, March 2002.

[146] National Bureau of Standards, U.S. Department of Commerce, Washington D.C.
Federal Information Processing Standards Publication 46-3: Data Encryption Stan-
dard(DES), October 1999.

[147] National Institute of Standards and Technology. Federal Information Processing Standards Publication 180-1: Secure Hash Standard, April 1995.

[148] R. M. Needham and M. D. Schroeder. Using encryption for authentication in large networks of computers. Communications of the ACM, 21(12):993{999, 1978.

[149] OASIS, http://www.oasis-open.org/committees/security/. Security Services Technical Commitee Homepage.

[150] OASIS. Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML), May 2002.

[151] R. Oppliger. Microsoft .NET passport and identity management. Information Security Technical Report, 9(1):26{34, January{March 2004.

[152] P. Pagliusi and C. J. Mitchell. PANA/GSM authentication for Internet access. In Proceedings of SympoTIC '03, Joint IST Workshop on Mobile Future and Symposium on Trends in Communications, pages 146{152. IEEE Press, October 2003.

[153] A. Pashalidis. A cautionary note on automatic proxy con¯guration. In M. Hamza,editor, IASTED International Conference on Communication, Network, and Information Security, CNIS 2003, New York, USA, December 10-12, 2003, Proceedings, pages 153{158. ACTA Press, December 2003.

[154] A. Pashalidis and C. Mitchell. A security model for anonymous credential systems. In S. J. Y. Deswarte, F. Cuppens and L. Wang, editors, Information Security Management, Education and Privacy, Proceedings of the 3rd Working Conference on Privacy and Anonymity in Networked and Distributed Systems (I-NetSec'04), pages 183{199.Kluwer Academic Publishers, August 2004.

[155] A. Pashalidis and C. Mitchell. Using EMV cards for single sign-on. In S. K. Katsikas,S. Gritzalis, and J. Lopez, editors, Public Key Infrastructure, First European PKI Workshop: Research and Applications, EuroPKI 2004, Samos Island, Greece, June 25-26, 2004, Proceedings, volume 3093 of Lecture Notes in Computer Science, pages 205{217. Springer Verlag, June 2004.

[156] A. Pashalidis and C. J. Mitchell. Single sign-on using trusted platforms. In C. Boyd and W. Mao, editors, Information Security, 6th International Conference, ISC 2003,Bristol, UK, October 1-3, 2003, Proceedings, volume 2851 of Lecture Notes in Computer Science, pages 54{68. Springer-Verlag, October 2003.

[157] A. Pashalidis and C. J. Mitchell. A taxonomy of single sign-on systems. In R. SafaviNaini and J. Seberry, editors, Information Security and Privacy { 8th Australasian Conference, ACISP, volume 2727 of Lecture Notes in Computer Science, pages 249{264. Springer Verlag, July 2003.

[158] A. Pashalidis and C. J. Mitchell. Using GSM/UMTS for single sign-on. In Proceedings of SympoTIC '03, Joint IST Workshop on Mobile Future and Symposium on Trends in Communications, Bratislava, Slovakia, pages 138{145. IEEE Press, October 2003.

[159] A. Pashalidis and C. J. Mitchell. Impostor: A single sign-on system for use from untrusted devices. In Proceedings of the IEEE Globecom Conference, Dallas, Texas,USA, November 29 { December 3. IEEE Press, 2004.

[160] A. Pashalidis and C. J. Mitchell. Single sign-on using trusted platforms. In C. J.Mitchell, editor, Trusted Computing, chapter 6, pages 175{193. IEE Press, London,2005.

[161] A. Pashalidis and C. J. Mitchell. Limits to anonymity when using credentials. In Proceedings of the 12th International Workshop on Security Protocols, Cambridge,U.K., Lecture Notes in Computer Science. Springer Verlag, to appear.

[162] T. P. Pedersen and B. P¯tzmann. Fail-stop signatures. SIAM J. Comput., 26(2):291{330, 1997.

[163] G. Persiano and I. Visconti. An e±cient and usable multi-show non-transferable anonymous credential system. In A. Juels, editor, Proceedings of the Eighth International Financial Cryptography Conference (FC '04), volume 3110 of Lecture Notes in Computer Science, pages 196{211, 2004.

[164] A. P¯tzmann and M. KÄohntopp. Anonymity, unobservability, and pseudonymity - a proposal for terminology. In H. Federrath, editor, Designing Privacy Enhancing Technologies, International Workshop on Design Issues in Anonymity and Unobservability, July 2000, number 2009 in Lecture Notes in Computer Science, pages 141{160.Springer-Verlag, Berlin, 2001.

[165] B. P¯tzmann. Privacy in enterprise identity federation | policies for Liberty 2 single
sign on. Information Security Technical Report, 9(1):45{58, January{March 2004.

[166] B. P¯tzmann. Privacy in enterprise identity federation | policies for Liberty single signon. In Proceeings: 3rd Workshop on Privacy Enhancing Technologies (PET 2003),Dresden, March 2003, Lecture Notes in Computer Science. Springer-Verlag, Berlin, to appear.

[167] B. P¯tzmann and M. Waidner. Privacy in browser-based attribute exchange. In S. Jajodia and P. Samarati, editors, WPES '02: Proceedings of the 2002 ACM workshop on Privacy in the Electronic Society, pages 52{62, New York, NY, USA, 2002. ACM Press.

[168] B. P¯tzmann and M. Waidner. Analysis of Liberty single-sign-on with enabled clients.Internet Computing, 7(6):38{44, November/December 2003.

[169] D. Pointcheval and J. Stern. Provably secure blind signature schemes. In M. Y. Rhee and K. Kim, editors, Advances in Cryptology | Proceedings of ASIACRYPT '96,volume 1163 of Lecture Notes in Computer Science, pages 252{265. Springer-Verlag,1996.

[170] G. J. Popek and C. S. Kline. Encryption and secure computer networks. ACM Comput.Surv., 11(4):331{356, 1979.

[171] J. Postel and J. Reynolds. RFC 959: File Transfer Protocol. Internet Engineering Task Force, October 1985.

[172] S. Prabhakar, S. Pankanti, and A. K. Jain. Biometric recognition: Security and privacy concerns. IEEE Security and Privacy, 1(2):33{42, March-April 2003.

[173] M. Rabin. Digitalized signatures and public-key functions as intractable as factorization. Technical Report LCS/TR-212, MIT Lab. for Computer Science, 1979.

[174] C. Radu. Implementing Electronic Card Payment Systems. Computer Security Series.Artech House, Norwood, 2002.

[175] A. J. Rae and L. P. Wildman. A taxonomy of attacks on secure devices. In J. Slay,editor, Proceedings of the Fourth Australian Information Warfare and IT Security Conference, pages 251{263, 2003.

[176] K. Rannenberg. Identity management in mobile cellular networks and related applications. Information Security Technical Report, 9(1):77{85, January{March 2004.

[177] J.-F. Raymond. Tra±c analysis: Protocols, attacks, design issues, and open problems. In H. Federrath, editor, Designing Privacy Enhancing Technologies, International Workshop on Design Issues in Anonymity and Unobservability, Berkeley, CA,USA, July 25-26, 2000, Proceedings, volume 2009 of Lecture Notes in Computer Science, pages 10{29. Springer-Verlag, Berlin, 2001.

[178] M. Rennhard and B. Plattner. Introducing MorphMix: Peer-to-Peer based Anonymous Internet Usage with Collusion Detection. In Proceedings of the Workshop on Privacy in the Electronic Society (WPES 2002), Washington, DC, USA, November 2002. ACM.

[179] E. Rescorla. HTTP Over TLS, 2000.

[180] E. Rescorla. SSL and TLS. Addison-Wesley, Reading, Massachusetts, 2001.

[181] V. Samar. Single sign-on using cookies for web applications. In IEEE 8th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises,pages 158{164. IEEE Press, 1999.

[182] F. Satoh and T. Itoh. Single sign on architecture with dynamic tokens. In Proceedings of the 2004 International Symposium on Applications and the Internet (SAINT'04),pages 197{200. IEEE Press, 2004.

[183] A. Serjantov. On the anonymity of anonymity systems. Technical Report UCAM-CL-TR-604, Computer Laboratory, University of Cambridge, U.K., October 2004.

[184] A. Serjantov and G. Danezis. Towards an information theoretic metric for anonymity.In R. Dingledine and P. F. Syverson, editors, Privacy Enhancing Technologies, Second International Workshop, PET 2002, San Francisco, CA, USA, April 14-15, 2002,Revised Papers, volume 2482 of Lecture Notes in Computer Science, pages 41{53.Springer-Verlag, Berlin, 2002.

[185] G. J. Simmons. Symmetric and asymmetric encryption. ACM Comput. Surv.,
11(4):305{330, 1979.

[186] M. Sipser. Introduction to the Theory of Computation. PWS Publishing Company,1997.

[187] M. Small. Business and technical motivation for identity management. Information Security Technical Report, 9(1):6{21, January{March 2004.

[188] N. Smart. Cryptography, An Introduction. McGraw-Hill, 2002.

[189] I. Spagui. Secured Single Signon in a Client/Server Environment. Vervante Corporate Publishing, 1994.

[190] W. Stallings. Cryptography and network security (2nd ed.): principles and practice.Prentice-Hall, Inc., Upper Saddle River, NJ, USA, 1999.

[191] S. Steinbrecher and S. Koepsell. Modelling unlinkability. In R. Dingledine, editor,Privacy Enhancing Technologies, Third International Workshop, PET 2003, Dresden,Germany, March 26-28, 2003, Revised Papers, volume 2760 of Lecture Notes in Computer Science, pages 32{47. Springer-Verlag, Berlin, 2003.

[192] J. G. Steiner, B. C. Neuman, and J. Schiller. Kerberos: An authentication service for open network systems. In Proceedings of the Winter 1988 Usenix Conference, pages 191{201. Usenix, February 1988.

[193] R. J. Sutton. Secure Communications: Applications and Management. John Wiley & Sons, 2002.

[194] P. F. Syverson and P. C. V. Oorschot. On unifying some cryptographic protocol logics. In Proceedings of the IEEE Computer Security Foundations Workshop VII,pages 14{29. IEEE Computer Society Press, 1994.

[195] N. T. Trask and M. V. Meyerstein. Smart cards in electronic commerce. BT Technology Journal, 17(3):57{66, July 1999.

[196] Trusted Computing Group. TCG TPM Speci¯cation Version. 1.2 | Structures of the TPM, 2003.

[197] Trusted Computing Group. TCG TPM Speci¯cation Version. 1.2 | TPM Commands,
2003.

[198] Trusted Computing Group. TCG TPM Speci¯cation Version. 1.2 Design Principles,2003.

[199] U. Uludag and A. Jain. Attacks on biometric systems: a case study in ¯ngerprints. In Proceedings of SPIE-EI 2004, pages 622{633, San Jose, CA, January 2004. SPIE.

[200] K. Vedder. GSM: Security, services, and the SIM. In B. Preneel and V. Rijmen,editors, State of the Art in Applied Cryptography, volume 1528 of Lecture Notes in Computer Science, pages 224{240. Springer-Verlag, Berlin, 1997.

[201] E. R. Verheul. Self-blindable credential certi¯cates from the Weil pairing. In C. Boyd,editor, ASIACRYPT '01: Proceedings of the 7th International Conference on the Theory and Application of Cryptology and Information Security, volume 2248 of Lecture Notes in Computer Science, pages 533{551. Springer Verlag, Berlin, 2001.

[202] A. Volchkov. Revisiting single sign-on: A pragmatic approach in a new context. IT Professional, 3(1):39{45, January/February 2001.

[203] M. Walker and T. Wright. Security. In F. Hillebrand, editor, GSM and UMTS: The creation of global mobile communication, chapter 14, pages 385{406. John Wiley & Sons, 2002.

[204] J. Wayman, A. K. Jain, D. Maltoni, and D. Maio. Biometric Systems: Technology,Design and Performance Evaluation. Springer Verlag, 2005.

[205] M. J. Williamson. Thoughts on cheaper non-secret encryption. Report, CESG, August 1976.

[206] J. D. Woodward Jr., N. M. Orlans, and P. T. Higgins. Biometrics: Identity Assurance In The Information Age. McGraw Hill, January 2003.

[207] World Wide Web Consortium. The Platform for Privacy Preferences 1.0 (P3P 1.0)Speci¯cation, April 2002.