1. Known-key security
An outsider cannot compute the current session key even he knows some previous session keys.
2. Perfect forward secrecy
The compromise of the private keys of both the participating entities does not affect the security of the previous session keys.
3. Key-compromise impersonation resistance
Even though the client’s long-term private key is compromised, an adversary, who obtained the private key, cannot masquerade the server S and obtain the resulting session key.
4. Man in the middle attack
5. On-line password guessing attack
The adversary guesses a password p w pw pw and asks Send \textbf{Send} Send query with its guesses. Obviously, this attack could be detected if the adversary’s guessed password is wrong.
6. Off-line password guessing attack
An adversary eavesdrops the communication between two parties. Then it makes a guess of password p w ′ pw' pw′ with the messages related to the real password p w pw pw.
7. Repaly attack
Suppose that an adversary impersonates C l i e n t Client Client and replays the message sent in another session by C l i e n t Client Client to S e r v e r Server Server.
8. Unknown key-share
Entity B B B is coerced into sharing a key with entity A A A without B B B’s knowledge.
In [SAC1998], there is an example of electronic deposit of funds.
[SAC1998] Authenticated Diffe-Hellman Key Agreement Protocols