Station-to-Station protocol

The Station-to-Station (STS) protocol is a cryptographic key agreement scheme based on classic Diffie-Hellman that provides mutual key and entity authentication.

In addition to protecting the established key from an attacker, the STS protocol uses no timestamps and provides perfect forward secrecy. It also entails two-way explicit key confirmation, making it an "authenticated key agreement with key confirmation" (AKC) protocol.

STS was originally presented in 1987 in the context of ISDN security Harv|O'Higgins|Diffie|Strawczynski|do Hoog|1987, finalized in 1989 and generally presented by Whitfield Diffie, Paul C. van Oorschot and Michael J. Wiener in 1992. The historical context for the protocol is also discussed in Harvtxt|Diffie|1988.


Deployment of STS can take different forms depending on communication requirements and the level of prior communication between parties. The data described in STS Setup may be shared prior to the beginning of a session to lessen the impact of the session's establishment.

In the following explanations, exponential (Diffie-Hellman) operations provide the basis for key agreement, though this is not a requirement. The protocol may be modified, for example, to use elliptic curves instead.

TS Setup

The following data must be generated before initiating the protocol.

:; An asymmetric signature keypair for each party : Required for authentication. The public portion of this keypair may be shared prior to session establishment.:; Key establishment parameters : The specification of a cyclic group "p" and a generator "g" for that group. These parameters may be public. Harvtxt|Menezes|van Oorschot|Vanstone|1997 note that for additional security each party may supply its own parameters.

Sharing this data prior to the beginning of the session lessens the complexity of the protocol.

Basic STS

Supposing all setup data has been shared, the STS protocol proceeds as follows (all exponentials are in the group specified by "p"). If a step cannot be completed, the protocol immediately stops.

#Alice generates a random number "x" and computes and sends the exponential "g""x" to Bob.
#Bob generates a random number "y" and computes the exponential "g""y".
#Bob computes the shared secret key "K" = ("g""x")"y".
#Bob concatenates the exponentials ("g""y", "g""x") (order is important), signs them using his asymmetric key "B", and then encrypts them with "K". He sends the ciphertext along with his own exponential "g""y" to Alice.
#Alice computes the shared secret key "K" = ("g""y")"x".
#Alice decrypts and verifies Bob's signature.
#Alice concatenates the exponentials ("g""x", "g""y") (order is important), signs them using her asymmetric key "A", and then encrypts them with "K". She sends the ciphertext to Bob.
#Bob decrypts and verifies Alice's signature.

Alice and Bob are now mutually authenticated and have a shared secret. This secret, "K", can then be used to encrypt further communication. The basic form of the protocol is formalized in the following three steps:

(1) Alice → Bob : "g""x" (2) Alice ← Bob : "g""y", E"K"(S"B"("g""y", "g""x")) (3) Alice → Bob : E"K"(S"A"("g""x", "g""y"))

Full STS

Setup data can also be incorporated into the protocol itself. Public key certificates may be sent in steps 2 and 3 if the keys are not known in advance.

(1) Alice → Bob : "g""x" (2) Alice ← Bob : "g""y", Cert"B", E"K"(S"B"("g""y", "g""x")) (3) Alice → Bob : Cert"A", E"K"(S"A"("g""x", "g""y"))

If system-wide key establishment parameters are not used, the initiator and responder may create and send their own parameters. In this case, parameters should be sent with the exponential.

(1) Alice → Bob : "g", "p", "g""x"

They must also be verfied by Bob to prevent an active attacker from inserting weak parameters (and thus a weak key "K"). Harvtxt|Diffie|van Oorschot|Wiener|1992 recommend against special checks to prevent this and instead suggest including the group parameters in Alice's certificate.


The variations mentioned here are from the original STS paper. See the following references for other, more significant variations.

* Citation
last1 = Bellare | first1 = M.
last2 = Canetti | first2 = R.
last3 = Krawczyk | first3 = H.
contribution = A modular approach to the design and analysis of authentication and key exchange protocols
title = Proceedings of the 30th Annual Symposium on the Theory of Computing
year = 1998

*RFC 2412, "The OAKLEY Key Determination Protocol".
*ISO/IEC 11770­3, "Mechanisms Using Asymmetric Techniques", (1999).

Authentication-only STS

A simplified form of STS is available that provides mutual authentication but does not produce a shared secret. It uses random number challenges instead of the above Diffie-Hellman technique.

#Alice generates a random number "x" sends it to Bob.
#Bob generates a random number "y".
#Bob concatenates the random numbers ("y", "x") (order is important) and signs them using his asymmetric key "B". He sends the signature along with his own random number to Alice.
#Alice verifies Bob's signature.
#Alice concatenates the random numbers ("x", "y") (order is important) and signs them using her asymmetric key "A". She sends the signature to Bob.
#Bob verifies Alice's signature.


(1) Alice → Bob : "x" (2) Alice ← Bob : "y", S"B"("y", "x") (3) Alice → Bob : S"A"("x", "y")

This protocol can be extended to include certificates as in Full STS.


In cases where encryption is a not viable choice in session establishment, "K" can instead be used to create a MAC.

(1) Alice → Bob : "g""x" (2) Alice ← Bob : "g""y", S"B"("g""y", "g""x"), MAC"K"(S"B"("g""y", "g""x")) (3) Alice → Bob : S"A"("g""x", "g""y"), MAC"K"(S"A"("g""x", "g""y"))

Harvtxt|Blake-Wilson|Menezes|1999 note that this variation may be preferable to original STS ("STS-ENC") in any case because

:".. the use of encryption to provide key confirmation in STS-ENC is questionable — traditionally the sole goal of encryption is to provide confidentiality and if an encryption scheme is used to demonstrate possession of a key then it is shown by decryption, not by encryption."

The paper goes on to counsel, however, that using "K" for both a MAC and as the session key violates the principle that keys should not be used for more than one purpose, and presents various workarounds.


STS-MAC is vulnerable to some "unknown key-share" attacks whereby an active attacker can inject her own identity into the session establishment procedure in place of either initiator or responder. Harvtxt|Blake-Wilson|Menezes|1999 present the vulnerabilities and some solutions.


* Citation
last1 = Blake-Wilson | first1 = S.
last2 = Menezes | first2 = A.
contribution = Unknown Key-Share Attacks on the Station-to-Station (STS) Protocol
title = Public Key Cryptography
series = Lecture Notes in Computer Science | volume = 1560
pages = 154–170 | year = 1999 | publisher = Springer

* Citation
last1 = Diffie | first1 = W.
title = The first ten years of public-key cryptography
journal = Proceedings of the IEEE | volume = 76
pages = 560–577 | year = 1988 | publisher = IEEE
doi = 10.1109/5.4442

* Citation
last1 = Diffie | first1 = W.
last2 = van Oorschot | first2 = P. C.
last3 = Wiener | first3 = M. J.
title = Authentication and Authenticated Key Exchanges
journal = Designs, Codes and Cryptography | volume = 2
pages = 107–125 | year = 1992 | publisher = Kluwer Academic Publishers
doi = 10.1007/BF00124891

* Citation
last1 = Menezes | first1 = A.
last2 = van Oorschot | first2 = P. C.
last3 = Vanstone | first3 = S.
title = Handbook of Applied Cryptography
pages = 519–520 | year = 1997 | publisher = CRC Press

* Citation
last1 = O'Higgins | first1 = B.
last2 = Diffie | first2 = W.
last3 = Strawczynski | first3 = L.
last4 = do Hoog | first4 = R.
contribution = Encryption and ISDN - A Natural Fit
title = 1987 International Switching Symposium (ISS87)
year = 1987

Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Station (networking) — In IEEE 802.11 (Wi Fi) terminology, a station (STA) is a device that has the capability to use the 802.11 protocol. For example, a station may be a laptop, a desktop PC, or a Wireless Access also*Basic Service Set *Service set identifier …   Wikipedia

  • Address Resolution Protocol — In computer networking, the Address Resolution Protocol (ARP) is the method for finding a host s hardware address when only its Network Layer address is known. ARP is defined in RFC 826. [RFC 826 Address Resolution Protocol, a.k.a. STD 37] It is… …   Wikipedia

  • Simple Network Management Protocol — SNMP (Simple Network Management Protocol) Familie: Internetprotokollfamilie Einsatzgebiet: Netzwerkverwaltung Neueste Version: SNMPv3 Ports: 161/UDP 162/UDP (Trap) SNMP im TCP/IP‑Protokollstapel …   Deutsch Wikipedia

  • Link Layer Discovery Protocol — The Link Layer Discovery Protocol (LLDP) is a vendor neutral Link Layer protocol in the Internet Protocol Suite used by network devices for advertising their identity, capabilities, and neighbors on a IEEE 802 local area network, principally… …   Wikipedia

  • Program and System Information Protocol — The Program and System Information Protocol (PSIP) is the protocol used in the ATSC and DVB digital television systems for carrying metadata about each channel in the broadcast transport stream of a TV station and for publishing information about …   Wikipedia

  • Cellular data communication protocol — The protocols described here are from the Cellular Data Communication Protocol.GSM and CDMA protocols described here include: *BSMAP Base Station Management Application Part *BSSAP BSS Application Part *BSSLAP *BSSAPLE *BSSMAP BSS Management… …   Wikipedia

  • Secure Communications Interoperability Protocol — SCIP is the U.S. Government s standard for secure voice and data communication. The acronym stands for Secure Communications Interoperability Protocol and was adopted to replace the FNBDT (Future Narrowband Digital Terminal) title in 2004. SCIP… …   Wikipedia

  • Kermit (protocol) — Kermit is a computer file transfer/management protocol and a set of communications software tools primarily used in the early years of personal computing in the 1980s; it provides a consistent approach to file transfer, terminal emulation, script …   Wikipedia

  • Internet Group Management Protocol — IGMP im TCP/IP Protokollstapel Internet IGMP IP (IPv4) Netzzugang Ethernet Token Bus Token Ring FDDI …   Deutsch Wikipedia

  • Base station subsystem — The Base Station Subsystem (BSS) is the section of a traditional cellular telephone network which is responsible for handling traffic and signaling between a mobile phone and the network switching subsystem. The BSS carries out transcoding of… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”

We are using cookies for the best presentation of our site. Continuing to use this site, you agree with this.