D. Adrian, K. Bhargavan, Z. Durumeric, P. Gaudry, M. Green et al., Imperfect Forward Secrecy, Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS '15, 2015.
DOI : 10.1145/2810103.2813707

URL : https://hal.archives-ouvertes.fr/hal-01184171

S. Bellovin and E. Rescorla, Deploying a new hash algorithm, NDSS, 2006.

F. Bergsma, B. Dowling, F. Kohlar, J. Schwenk, and D. Stebila, Multi-Ciphersuite Security of the Secure Shell (SSH) Protocol, Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS '14, pp.369-381, 2014.
DOI : 10.1145/2660267.2660286

K. Bhargavan, A. Delignat-lavaud, and A. Pironti, Verified Contributive Channel Bindings for Compound Authentication, Proceedings 2015 Network and Distributed System Security Symposium, 2015.
DOI : 10.14722/ndss.2015.23277

URL : https://hal.archives-ouvertes.fr/hal-01114248

K. Bhargavan, A. D. Lavaud, C. Fournet, A. Pironti, and P. Strub, Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS, 2014 IEEE Symposium on Security and Privacy, p.2014
DOI : 10.1109/SP.2014.14

URL : https://hal.archives-ouvertes.fr/hal-01102259

I. B. Damgård, A Design Principle for Hash Functions, CRYPTO'89, 1990.
DOI : 10.1007/0-387-34805-0_39

T. Dierks and E. Rescorla, The Transport Layer Security (TLS) Protocol Version 1.2. IETF RFC 5246, 2008.

T. Dierks and E. Rescorla, The Transport Layer Security (TLS) Protocol Version 1.3. Internet Draft, 2014.
DOI : 10.17487/rfc4346

M. Friedl, N. Provos, and W. Simpson, Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol, 2006.
DOI : 10.17487/rfc4419

F. Giesen, F. Kohlar, and D. Stebila, On the security of TLS renegotiation, Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, CCS '13, 2013.
DOI : 10.1145/2508859.2516694

D. Gillmor, Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS, Internet Draft, 2015.

S. Halevi and H. Krawczyk, Strengthening Digital Signatures Via Randomized Hashing, CRYPTO, 2006.
DOI : 10.1007/11818175_3

B. Hill, D. Baghdasaryan, B. Blanke, R. Lindemann, and J. Hodges, FIDO UAF Application API and Transport Binding Specification v1.0. Draft Specification, 2015.

P. Hoffman, Use of Hash Algorithms in Internet Key Exchange (IKE) and IPsec, IETF RFC, vol.4894, 2007.
DOI : 10.17487/rfc4894

P. Hoffman and B. Schneier, Attacks on Cryptographic Hashes in Internet Protocols, IETF RFC, vol.4270, 2005.
DOI : 10.17487/rfc4270

T. Jager, F. Kohlar, S. Schäge, and J. Schwenk, On the Security of TLS-DHE in the Standard Model, CRYPTO, 2012.
DOI : 10.1007/978-3-642-32009-5_17

A. Joux, Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions, CRYPTO, 2004.
DOI : 10.1007/978-3-540-28628-8_19

J. Kelsey and T. Kohno, Herding Hash Functions and the Nostradamus Attack, EUROCRYPT, 1981.
DOI : 10.1007/11761679_12

H. Krawczyk, SIGMA: The ???SIGn-and-MAc??? Approach to Authenticated Diffie-Hellman and Its Use in the IKE Protocols, CRYPTO, 2003.
DOI : 10.1007/978-3-540-45146-4_24

H. Krawczyk, K. G. Paterson, and H. Wee, On the Security of the TLS Protocol: A Systematic Analysis, CRYPTO, 2013.
DOI : 10.1007/978-3-642-40041-4_24

A. Langley, Transport Layer Security (TLS) Snap Start, Internet Draft, 2010.

A. Langley, Transport Layer Security (TLS) Next Protocol Negotiation Extension, Internet Draft, 2012.

G. Leurent, Practical key-recovery attack against APOP, an MD5-based challenge-response authentication, International Journal of Applied Cryptography, vol.1, issue.1, pp.32-46, 2008.
DOI : 10.1504/IJACT.2008.017049

N. Mavrogiannopoulos, F. Vercauteren, V. Velichkov, and B. Preneel, A cross-protocol attack on the TLS protocol, Proceedings of the 2012 ACM conference on Computer and communications security, CCS '12, 2012.
DOI : 10.1145/2382196.2382206

F. Mendel, C. Rechberger, and M. Schläffer, MD5 Is Weaker Than Weak: Attacks on Concatenated Combiners, ASIACRYPT, 2009.
DOI : 10.1007/978-3-642-10366-7_9

A. Menon-sen, N. Williams, A. Melnikov, and C. Newman, Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms, 2010.

R. C. Merkle, A Certified Digital Signature, CRYPTO'89, 1990.
DOI : 10.1007/0-387-34805-0_21

J. M. Pollard, A monte carlo method for factorization, BIT, vol.29, issue.129, pp.331-334, 1975.
DOI : 10.1007/BF01933667

J. M. Pollard, Monte Carlo Methods for Index Computation (mod p), Mathematics of Computation, vol.32, issue.143, pp.918-924, 1978.
DOI : 10.2307/2006496

A. Popov, M. Nystroem, D. Balfanz, and A. Langley, The Token Binding Protocol Version 1.0. Internet Draft, 2015.

M. Stevens, Counter-Cryptanalysis, CRYPTO, 2013.
DOI : 10.1007/978-3-642-40041-4_8

M. Stevens, New Collision Attacks on SHA-1 Based on Optimal Joint Local-Collision Analysis, EUROCRYPT, 2013.
DOI : 10.1007/978-3-642-38348-9_15

M. Stevens, A. K. Lenstra, and B. De-weger, Chosen-prefix collisions for MD5 and applications, International Journal of Applied Cryptography, vol.2, issue.4, pp.322-359, 2012.
DOI : 10.1504/IJACT.2012.048084

P. C. Van-oorschot and M. J. Wiener, Parallel Collision Search with Cryptanalytic Applications, Journal of Cryptology, vol.12, issue.1, pp.1-28, 1999.
DOI : 10.1007/PL00003816

X. Wang and H. Yu, How to Break MD5 and Other Hash Functions, EUROCRYPT, 2005.
DOI : 10.1007/11426639_2

T. Ylonen and C. Lonvick, The Secure Shell (SSH) Transport Layer Protocol, RFC, vol.4253, 2006.
DOI : 10.17487/rfc4253

P. Zimmermann, ZRTP: Media Path Key Agreement for Unicast Secure RTP, IETF RFC, vol.6189, 2012.
DOI : 10.17487/rfc6189

URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=