0Pricing
Cryptology Academy · Lesson

Station-to-Station Protocol (STS)

Study STS as a corrected authenticated key exchange protocol and its use in SSH and IKE.

Motivation for STS

The Station-to-Station (STS) protocol (Diffie, van Oorschot, Wiener, 1992) was designed to provide authenticated key agreement without a trusted third party. Pure Diffie-Hellman key exchange is unauthenticated — a man-in-the-middle can substitute their own DH values, establishing separate sessions with each party who believe they share a key. STS combines DH with digital signatures and public key certificates to provide mutual authentication. The parties authenticate by signing the DH transcript, binding the session key to their identities. STS directly influenced the design of IKE (Internet Key Exchange for IPsec) and SSH.

STS Protocol Steps

The STS protocol proceeds as follows. Alice and Bob agree on a DH group (prime p, generator g). (1) Alice sends g^a mod p to Bob. (2) Bob sends g^b mod p, Cert_B, Sig_B{g^b, g^a} to Alice. Bob signs the concatenation of both DH values using his private key. (3) Alice verifies Bob's certificate and signature, then sends Cert_A, Sig_A{g^a, g^b} encrypted under the session key K = (g^ab mod p). Alice's identity and signature are encrypted, providing Alice's identity protection — passive eavesdroppers cannot link Alice to this session. Both parties compute K = g^ab mod p and are mutually authenticated via the signatures.

All lessons in this course

  1. The Needham-Schroeder Protocol and Attacks
  2. Station-to-Station Protocol (STS)
  3. The Noise Protocol Framework
  4. Principles of Secure Protocol Design
← Back to Cryptology Academy