A Reading List in Information Security


Last Updated on January 6, 2004.

This reading list is prepared by information security faculty members at CERIAS and Purdue’s Computer Science Department, with help from many other people.

This list is primarily for Purdue Computer Science graduate students who plan to take the oral Qualifier Exam in the infomation security area.  This list is likely to be used as a basis for a Qualifier exam. For example, a student may be asked to read all the basic papers, a textbook on cryptography, and a number of (e.g., five) additional papers. These additional papers may be chosen from the list of advanced papers or assigned by the exam committee.  To which extent this list is used for a particular exam is completely up to the exam committee to decide.

The list of basic papers are also recommended for any graduate student who plan to conduct research in security.  The list of advanced papers are recommended for students who wish to know more about particular research areas in security.

We have copies of some papers that are not available online. These papers are kept in REC 217. Ask the receptionist in REC 217 for the “Security Qual2 Readings” folder, make copies of the papers you need, and return the folder.

Comments and suggestions are welcome.  Please send them to ninghui@cs.purdue.edu

Basic Papers

  1. W. Diffie and M.E. Hellman. New directions in cryptography.  IEEE Transactions on Information Theory, Volume 22, Number 6, November 1976, pp. 644 - 654.
  2. S. Goldwasser and S. Micali.  Probabilistic encryption.   Journal of Computer & System Sciences, Volume 28, Number 2,  April 1984, pp. 270-299.
  3. K. Thompson. Reflections on Trusting Trust.  Communication of the ACM, Vol. 27, No. 8, August 1984, pp. 761-763.
  4. J.H. Saltzer and M.D. Schroeder. Part I-A of The Protection of Information in Computer SystemsProceedings of the IEEE, 63(9):1278-1308, 1975.
      The eight principles in Part I-A are as relevant today as they were back then.
  5. L. Lamport, R. Shostak, and M. Pease. The Byzantine Generals ProblemACM Transactions on Programming Languages and Systems 4(3):382-401, July 1982.
      Technically, this is not a security paper. However, it is a fundamental paper of distributed computing, which is closely related to security.
  6. B. Lampson. "A note on the confinement problem.Communications of the ACM, Volume 16 Issue 10, pp. 613 - 615, October 1973. S.B. Lipner, M. Bedford. "A Comment on the Confinement ProblemProceedings of the fifth ACM symposium on Operating systems principles, November 1975.
      These two papers are listed together because they are both short and should be read together.
  7. D.D. Clark and D.R. Wilson. "A Comparison of Commercial and Military Computer Security Policies" In Proceedings of the 1987 IEEE Symposium on Security and Privacy.
  8. R.S. Sandhu, E.J. Coyne, H.L. Feinstein, and C.E. Youman. Role-Based Access Control ModelsIEEE Computer, 29(2):38--47, February 1996.
  9. E. Spafford. "The Internet Worm Program: An Analysis". Purdue Technical Report CSD-TR-823.
  10. S.M. Bellovin. "Security Problems in the TCP/IP Protocol SuiteACM Computer Communication Review, Volume 19 , Issue 2 (April 1989).
  11. J.G. Steiner, B.C. Neuman, J.I. Schiller. "Kerberos: An Authentication Service for Open Network Systems" In Usenix Conference Proceedings, pp. 191--202, Mar. 1988.
  12. S.M. Bellovin, M Merritt.  "Limitations of the Kerberos Authentication SystemACM Computer Communications Review, 1991.
  13. D. Denning. "An Intrusion-Detection Model". IEEE Transactions on Software Engineering, Volume. SE-13,  Number 2, February1987, pp. 222-232.
  14. V. Paxson. "Bro: A System for Detecting Network Intruders in Real-TimeComputer Networks, 31(23-24), pp. 2435-2463, 14 Dec. 1999.
  15. M. Abadi and R. Needham. Prudent Engineering Practice for Cryptographic Protocols". IEEE Transactions on Software Engineering. January 1996 (Vol. 22, No. 1)
  16. R. Anderson. "Why Cryptosystems Fail". Communications of the ACM, 37(11):32-40, November 1994.
  17. N. Borisov, I. Goldberg, D. Wagner.  Intercepting Mobile Communications: The Insecurity of 802.11, MOBICOM 2001.

Advanced Papers


  1. M. Blum and S. Micali. "How to generate cryptographically strong sequences of pseudo-random bits". SIAM Journal on Computing, Volume 13, Issue 4 (November 1984), pages 850--864. Conference version in FOCS 1982.
      Copy available in REC 217.
  2. S. Goldwasser, S. Micali, and C. Rackoff. "Knowledge complexity of Interactive Proof Systems". SIAM Journal on Computing, Volume 18, Issue 1 (February 1989), pages 186--208. Conference version in STOC 1985.
  3. M. Bellare and P. Rogaway. Random oracles are practical: a paradigm for designing efficient protocols. In Proceedings of First ACM Conference on Computer and Communications Security (CCS), 1993.
  4. M. Bellare, A. Desai, D. Pointcheval and P. Rogaway. Relations among notions of security for public-key encryption schemes. Extended abstract in Advances in Cryptology - Crypto 98.
  5. Matt Franklin and Moti Yung. "Varieties of secure distributed computing".
  6. P. Paillier. Public-Key Cryptosystems Based on Composite Degree Residuosity Classes, EUROCRYPT 1999.
  7. A. Herzberg, S. Jarecki, H. Krawczyk, and M. Yung. Proactive secret sharing or: How to cope with perpetual leakage. In Crypto'95.
  8. D. Boneh and M. Franklin. "Identity-based encryption from the Weil pairingSIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003.
      Extended abstract in proceedings of Crypto '2001, Lecture Notes in Computer Science, Vol. 2139, Springer-Verlag, pp. 213-229, 2001.
  9. M. Bellare and O. Goldreich. "On defining proofs of knowledge". In CRYPTO 1992.

Access Control

  1. Michael A. Harrison and Walter L. Ruzzo and Jeffrey D. Ullman. "Protection in Operating Systems". CACM, August 1976.
  2. M. Abadi, M. Burrows, B. Lampson, and G. Plotkin. "A calculus for access control in distributed systems". ACM Transactions on Programming Languages and Systems (TOPLAS). Volume 15, Issue 4 (September 1993), Pages: 706 - 734.
  3. M. Blaze, J. Feigenbaum, and J. Lacy. Decentralized Trust Management. In Proc. of IEEE Symposium on Security and Privacy, 1996.
  4. R. L. Rivest and B. Lampson. SDSI --- A Simple Distributed Security Infrastructure. Version 1.1.
  5. F.B. Schneider. Enforceable security policiesACM Transactions on Information and System Security (TISSEC). Volume 3, Issue 1 (February 2000). Pages: 30 - 50

Other candidates

  • E Bertino, E Ferrari, V Atluri. "The specification and enforcement of authorization constraints in workflow management systems".
  • R.S. Sandhu.  "Lattice-based access control models".
  • D. Sutherland.  "A Model of Information"
  • Goguen and Meseguer.  "Unwinding and Inference Control"
  • Goguen and Meseguer.  "Security Policies and Security Models"

Database Security

  1. P.P. Griffiths and B.W. Wade. "An authorization mechanism for a relational database systemACM Transactions on Database Systems (TODS), Volume 1 , Issue 3 (September 1976), Pages: 242 - 255.
  2. Nabil R. Adam, John C. Wortmann. "Security-control methods for statistical databases: a comparative study"
  3. F Rabitti, E Bertino, W Kim, D Woelk. "A model of authorization for next-generation database systems".

Network Security and Intrusion Detection

  1. B. Lampson, M. Abadi, M. Burrows, and E. Wobber. Authentication in Distributed Systems: Theory and Practice ACM Transactions on Computer Systems (TOCS). Volume 10, Issue 4 (November 1992). Pages: 265 - 310.
  2. Practical Network Support for IP Traceback. Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson. SIGCOMM 2000.
  3. On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets. Kihong Park, Heejo Lee. SIGCOMM 2001
  4. S. Forrest, A.S. Perelson, L. Allen, and R. Cherukuri Self-nonself discrimination in a computer In 1994 IEEE Symposium on Security and Privacy.
  5. S. Forrest, S.A. Hofmeyr, A. Somayaji, T.A. Longstaff A sense of self for Unix processes
  6. T. Ptacek and T. Newsham Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection

Systems Security

  1. M. Castro and B. Liskov. Practical Byzantine Fault Tolerance. In Proceedings of the Third Symposium on Operating Systems Design and Implementation (OSDI '99), New Orleans, USA, February 1999.
  2. R. Wahbe, S. Lucco, T.E. Anderson, and S.L. Graham. Efficient software-based fault isolation Proceedings of the fourteenth ACM symposium on Operating systems principles, Pages: 203 - 216, 1994.

Analysis of Cryptographic Protocols

  1. D. Dolev and A. Yao. "On the security of public key protocols"
  2. M Burrows, M Abadi, R Needham. "A logic of authentication"
  3. Gavin Lowe. "Breaking and fixing the Needham-Schroeder public-key protocol using FDR"
  4. FJT Fabrega, JC Herzog, JD Guttman. "Strand spaces: Proving security protocols correct"

Privacy and Anonymity

  1. Anonymous Connections and Onion Routing
  2. Freenet: A distributed anonymous information storage and retrieval system
  3. Crowds: Anonymity for web transactions