In public-key cryptography, the Station-to-Station (STS) protocol is a cryptographic key agreement scheme. The protocol is based on classic Diffie–Hellman, and provides mutual key and entity authentication. Unlike the classic Diffie–Hellman, which is not secure against a man-in-the-middle attack, this protocol assumes that the parties have signature keys, which are used to sign messages, thereby providing security against man-in-the-middle attacks. In addition to protecting the established key from an attacker, the STS protocol uses no timestamps and provides perfect forward secrecy. It also entails two-way explicit key confirmation, making it an authenticated key agreement with key confirmation (AKC) protocol. STS was originally presented in 1987 in the context of ISDN security, finalized in 1989 and generally presented by Whitfield Diffie, Paul C. van Oorschot and Michael J. Wiener in 1992. The historical context for the protocol is also discussed in.

Description

Deployment of STS can take different forms depending on communication requirements and the level of prior communication between parties. The data described in STS Setup may be shared prior to the beginning of a session to lessen the impact of the session's establishment. In the following explanations, exponentiation (Diffie–Hellman) operations provide the basis for key agreement, though this is not a requirement. The protocol may be modified, for example, to use elliptic curves instead.

STS Setup

The following data must be generated before initiating the protocol. Sharing this data prior to the beginning of the session lessens the complexity of the protocol.

Basic STS

Supposing all setup data has been shared, the STS protocol proceeds as follows. If a step cannot be completed, the protocol immediately stops. All exponentials are in the group specified by p. Alice and Bob are now mutually authenticated and have a shared secret. This secret, K, can then be used to encrypt further communication. The basic form of the protocol is formalized in the following three steps: (1) Alice → Bob : gx (2) Alice ← Bob : gy, EK(SB(gy, gx)) (3) Alice → Bob : EK(SA(gx, gy))

Full STS

Setup data can also be incorporated into the protocol itself. Public key certificates may be sent in steps 2 and 3 if the keys are not known in advance. (1) Alice → Bob : gx (2) Alice ← Bob : gy, CertB, EK(SB(gy, gx)) (3) Alice → Bob : CertA, EK(SA(gx, gy)) If system-wide key establishment parameters are not used, the initiator and responder may create and send their own parameters. In this case, parameters should be sent with the exponential. (1) Alice → Bob : g, p, gx They must also be verified by Bob to prevent an active attacker from inserting weak parameters (and thus a weak key K). recommend against special checks to prevent this and instead suggest including the group parameters in Alice's certificate.

Variations

The variations mentioned here are from the original STS paper. See the following references for other, more significant variations.

Authentication-only STS

A simplified form of STS is available that provides mutual authentication but does not produce a shared secret. It uses random number challenges instead of the above Diffie–Hellman technique. Formally: (1) Alice → Bob : x (2) Alice ← Bob : y, SB(y, x) (3) Alice → Bob : SA(x, y) This protocol can be extended to include certificates as in Full STS.

STS-MAC

In cases where encryption is a not viable choice in session establishment, K can instead be used to create a MAC. (1) Alice → Bob : gx (2) Alice ← Bob : gy, SB(gy, gx), MACK(SB(gy, gx)) (3) Alice → Bob : SA(gx, gy), MACK(SA(gx, gy)) note that this variation may be preferable to original STS ("STS-ENC") in any case because The paper goes on to counsel, however, that using K for both a MAC and as the session key violates the principle that keys should not be used for more than one purpose, and presents various workarounds.

Cryptanalysis

STS-MAC is vulnerable to some unknown key-share attacks, whereby an active attacker can inject his own identity into the session establishment procedure in place of either initiator or responder. present the vulnerabilities and some solutions.