Unknown Key-Share Attacks on the Station-to-Station (STS) Protocol

  • Simon Blake-Wilson
  • Alfred Menezes
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1560)


This paper presents some new unknown key-share attacks on STS-MAC, the version of the STS key agreement protocol which uses a MAC algorithm to provide key confirmation. Various methods are considered for preventing the attacks.


Signature Scheme Elliptic Curve Digital Signature Algorithm Authentic Copy Honest Entity 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    ANSI X9.30 (Part 1), Public Key Cryptography Using Irreversible Algorithms for the Financial Services Industry-Part 1: The Digital Signature Algorithm (DSA), 1995.Google Scholar
  2. 2.
    ANSI X9.31, Digital Signatures Using Reversible Public Key Cryptography for the Financial Services Industry (rDSA), working draft, March 1998.Google Scholar
  3. 3.
    ANSI X9.62, The Elliptic Curve Digital Signature Algorithm (ECDSA), working draft, August 1998.Google Scholar
  4. 4.
    ANSI X9.63, Elliptic Curve Key Agreement and Key Transport Protocols, working draft, October 1998.Google Scholar
  5. 5.
    M. Bellare, R. Canetti and H. Krawczyk, “A modular approach to the design and analysis of authentication and key exchange protocols”, Proceedings of the 30th Annual Symposium on the Theory of Computing, 1998. A full version of this paper is available at
  6. 6.
    M. Bellare and P. Rogaway, “Random oracles are practical: a paradigm for designing efficient protocols”, 1st ACM Conference on Computer and Communications Security, 1993, 62–73. A full version of this paper is available at
  7. 7.
    M. Bellare and P. Rogaway, “Entity authentication and key distribution”, Advances in Cryptology-Crypto’ 93, LNCS 773, 1993, 232–249. A full version of this paper is available at Google Scholar
  8. 8.
    M. Bellare and P. Rogaway, “The exact security of digital signatures—how to sign with RSA and Rabin”, Advances in Cryptology-Eurocrypt’ 96, LNCS 1070, 1996, 399–416.Google Scholar
  9. 9.
    S. Blake-Wilson, D. Johnson and A. Menezes, “Key agreement protocols and their security analysis”, Proceedings of the sixth IMA International Conference on Cryptography and Coding, LNCS 1355, 1997, 30–45. A full version of this paper is available at Google Scholar
  10. 10.
    S. Blake-Wilson and A. Menezes, “Authenticated Diffie-Hellman key agreement protocols”, Proceedings of SAC’ 98, LNCS, to appear.Google Scholar
  11. 11.
    W. Diffie, P. vanOorschot and M. Wiener, “Authentication and authenticated key exchanges”, Designs, Codes and Cryptography, 2 (1992), 107–125.CrossRefGoogle Scholar
  12. 12.
    T. ElGamal, “A public key cryptosystem and a signature scheme based on discrete logarithms”, IEEE Transactions on Information Theory, 31 (1985), 469–472.zbMATHCrossRefMathSciNetGoogle Scholar
  13. 13.
    S. Goldwasser, S. Micali, and R. Rivest, “A digital signature scheme secure against adaptive chosen message attacks”, SIAM Journal on Computing, 17 (1988), 281–308.zbMATHCrossRefMathSciNetGoogle Scholar
  14. 14.
    IPSEC Working Group, The OAKLEY Key Determination Protocol, Internet Draft, Internet Engineering Task Force, available from
  15. 15.
    ISO/IEC 8824-1, Information Technology-Open Systems Interconnection-Abstract Syntax Notation One (ANS.1)-Part 1: Specification of Basic Notation.Google Scholar
  16. 16.
    ISO/IEC 8825-3, Information Technology-Open Systems Interconnection-Specification of ASN.1 Encoding Rules-Part 3: Distinguished Canonical Encoding Rules.Google Scholar
  17. 17.
    ISO/IEC 9798-3, Information Technology-Security Techniques-Entity Authentication Mechanisms-Part 3: Entity Authentication Using a Public-Key Algorithm 1993.Google Scholar
  18. 18.
    ISO/IEC 11770-3, Information Technology-Security Techniques-Key Management-Part 3: Mechanisms Using Asymmetric Techniques, draft, (DIS), 1996.Google Scholar
  19. 19.
    D. Johnson, Contribution to ANSI X9F1 working group, 1997.Google Scholar
  20. 20.
    B. Kaliski, Contribution to ANSI X9F1 and IEEE P1363 working groups, June 17 1998.Google Scholar
  21. 21.
    L. Law, A. Menezes, M. Qu, J. Solinas, S. Vanstone, “An efficient protocol for authenticated key agreement”, Technical report CORR 98-05, Department of C&O, University of Waterloo, 1998. Also available at
  22. 22.
    H.W. Lenstra, “Factoring integers with elliptic curves”, Annals of Mathematics, 126 (1987), 649–673.CrossRefMathSciNetGoogle Scholar
  23. 23.
    C. Lim and P. Lee, “A key recovery attack on discrete log-based schemes using a prime order subgroup”, Advances in Cryptology-Crypto’ 97, LNCS 1294, 1997, 249–263.CrossRefGoogle Scholar
  24. 24.
    A. Menezes, M. Qu and S. Vanstone, “Some new key agreement protocols providing mutual implicit authentication”, Workshop on Selected Areas in Cryptography (SAC’ 95), 22–32, 1995.Google Scholar
  25. 25.
    A. Menezes, P. van Oorschot and S. Vanstone, Handbook of Applied Cryptography, CRC Press, 1997.Google Scholar
  26. 26.
    C. Mitchell and A. Thomas, “Standardising authentication protocols based on public key techniques”, Journal of Computer Security, 2 (1993), 23–36.Google Scholar
  27. 27.
    National Institute of Standards and Technology, Digital Signature Standard, FIPS Publication 186, 1994.Google Scholar
  28. 28.
    National Institute of Standards and Technology, Secure Hash Standard (SHS), FIPS Publication 180-1, 1995.Google Scholar
  29. 29.
    S. Pohlig and M. Hellman, “An improved algorithm for computing logarithms over GF(p) and its cryptographic significance”, IEEE Transactions on Information Theory, 24 (1978), 106–110.zbMATHCrossRefMathSciNetGoogle Scholar
  30. 30.
    M.O. Rabin, “Digitalized signatures and public-key functions as intractable as factorization”, MIT/LCS/TR-212, MIT Laboratory for Computer Science, 1979.Google Scholar
  31. 31.
    R.L. Rivest, A. Shamir and L.M. Adleman, “A method for obtaining digital signatures and public-key cryptosystems”, Communications of the ACM, 21 (1978), 120–126.zbMATHCrossRefMathSciNetGoogle Scholar
  32. 32.
    P. van Oorschot, “Extending cryptographic logics of belief to key agreement protocols”, 1st ACM Conference on Computer and Communications Security, ACM Press, 1993, 232–243.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1999

Authors and Affiliations

  • Simon Blake-Wilson
    • 1
  • Alfred Menezes
    • 2
  1. 1.Certicom ResearchMississaugaCanada
  2. 2.Department of Combinatorics & OptimizationUniversity of WaterlooWaterlooCanada

Personalised recommendations