SIGMA: The ‘SIGn-and-MAc’ Approach to Authenticated Diffie-Hellman and Its Use in the IKE Protocols

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2729)


We present the SIGMA family of key-exchange protocols and the “SIGn-and-MAc” approach to authenticated Diffie-Hellman underlying its design. The SIGMA protocols provide perfect forward secrecy via a Diffie-Hellman exchange authenticated with digital signatures, and are specifically designed to ensure sound cryptographic key exchange while providing a variety of features and trade-offs required in practical scenarios (such as optional identity protection and reduced number of protocol rounds). As a consequence, the SIGMA protocols are very well suited for use in actual applications and for standardized key exchange. In particular, SIGMA serves as the cryptographic basis for the signature-based modes of the standardized Internet Key Exchange (IKE) protocol (versions 1 and 2).

This paper describes the design rationale behind the SIGMA approach and protocols, and points out to many subtleties surrounding the design of secure key-exchange protocols in general, and identity-protecting protocols in particular. We motivate the design of SIGMA by comparing it to other protocols, most notable the STS protocol and its variants. In particular, it is shown how SIGMA solves some of the security shortcomings found in previous protocols.


Signature Scheme Replay Attack Active Attack Cryptology ePrint Archive Identity Protection 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Aiello, B., Bellovin, S., Blaze, M., Canetti, R., Ioannidis, J., Keromytis, A., Reingold, O.: Efficient, DoS-Resistant Secure Key Exchange for Internet Protocols. ACM Computers and Communications Security conference, CCS (2002),
  2. 2.
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)Google Scholar
  3. 3.
    Bellovin, S.M.: Problem Areas for the IP Security Protocols., In: Proceedings of the Sixth Usenix Unix Security Symposium (1996)Google Scholar
  4. 4.
    Blake-Wilson, S., Menezes, A.: Unknown key-share attacks on the station-to- station (STS) protocol. In: Imai, H., Zheng, Y. (eds.) PKC 1999. LNCS, vol. 1560, pp. 154–170. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  5. 5.
    Burrows, M., Abadi, M., Needham, R.: A logic for authentication. ACM Trans. Computer Systems 8, 18–36 (1990)CrossRefGoogle Scholar
  6. 6.
    Canetti, R., Krawczyk, H.: Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, p. 453. Springer, Heidelberg (2001); Full version in: Cryptology ePrint Archive, Report 2001/040,
  7. 7.
    Canetti, R., Krawczyk, H.: Security Analysis of IKE’s Signature-based Key- Exchange Protocol. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, p. 143. Springer, Heidelberg (2002); Full version in: Cryptology ePrint Archive, Report 2002/120,
  8. 8.
    Diffie, W., van Oorschot, P., Wiener, M.: Authentication and authenticated key exchanges. Designs, Codes and Cryptography 2, 107–125 (1992), Available at
  9. 9.
    Ferguson, N., Schneier, B.: A Cryptographic Evaluation of IPSec (1999),
  10. 10.
    Goldreich, O.: Foundations of Cryptography: Basic Tools. Cambridge Press, New York (2001)zbMATHCrossRefGoogle Scholar
  11. 11.
    Harkins, D., Carrel, D. (eds.): The Internet Key Exchange (IKE), RFC 2409 (November 1998)Google Scholar
  12. 12.
    ISO/IEC, I.S.: 9798-3, Entity authentication mechanisms — Part 3: Entity authentication using asymmetric techniques (1993)Google Scholar
  13. 13.
    Jutla, C.: Encryption Modes with Almost Free Message Integrity. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, p. 529. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  14. 14.
    Karn, P., Simpson, W.A.: The Photuris Session Key Management Protocol, draft-ietf-ipsec-photuris-03.txt (September 1995)Google Scholar
  15. 15.
    Kaliski, B.: An unknown key-share attack on the MQV key agreement protocol. ACM Transactions on Information and System Security (TISSEC) 4(3), 275–288 (2001)CrossRefGoogle Scholar
  16. 16.
    Kaufman, C.: Internet Key Exchange (IKEv2) Protocol, draft-ietf-ipsec-ikev2- 07.txt (to be published as an RFC) (April 2003)Google Scholar
  17. 17.
    Kent, S., Atkinson, R.: Security Architecture for the Internet Protocol, Request for Comments 2401 (November 1998)Google Scholar
  18. 18.
    Kent, S., Atkinson, R.: IP Encapsulating Security Payload (ESP), Request for Comments 2406 (November 1998)Google Scholar
  19. 19.
    Krawczyk, H.: Communication to IPsec WG, IPsec mailing list archives, (April-October 1995),
  20. 20.
    Krawczyk, H.: SKEME: A Versatile Secure Key Exchange Mechanism for Internet. In: Proceedings of the 1996 Internet Society Symposium on Network and Distributed System Security, pp. 114–127 (February 1996)
  21. 21.
    Krawczyk, H., Bellare, M., Canetti, R.: HMAC: Keyed-Hashing for Message Authentication, RFC 2104 (February 1997)Google Scholar
  22. 22.
    Krawczyk, H.: Blinding of Credit Card Numbers in the SET Protocol. In: Franklin, M.K. (ed.) FC 1999. LNCS, vol. 1648, p. 17. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  23. 23.
    Krawczyk, H.: The order of encryption and authentication for protecting communications (Or: how secure is SSL?) In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, p. 310. Springer, Heidelberg (2001); Report 2001/045, Full version in: Cryptology ePrint Archive Report 2001/045,
  24. 24.
    Krawczyk, H.: SIGMA: the ‘SIGn-and-MAc’ Approach to Authenticated Diffie- Hellman and its Use in the IKE Protocols, full version,
  25. 25.
    Lowe, G.: Some New Attacks upon Security Protocols. In: 9th IEEE Computer Security Foundations Workshop, pp. 162–169. IEEE Press, Los Alamitos (1996)CrossRefGoogle Scholar
  26. 26.
    Meadows, C.: Analysis of the Internet Key Exchange Protocol Using the NRL Protocol Analyzer. In: Proc. of the 1999 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos (1999)Google Scholar
  27. 27.
    Menezes, A., Van Oorschot, P., Vanstone, S.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)CrossRefGoogle Scholar
  28. 28.
    Orman, H.: The OAKLEY Key Determination Protocol, Request for Comments 2412 (November 1998)Google Scholar
  29. 29.
    Perlman, R., Kaufman, C.: Analysis of the IPsec key exchange Standard. In: WET-ICE Security Conference. MIT, Cambridge (2001)Google Scholar
  30. 30.
    Shoup, V.: On Formal Models for Secure Key Exchange, Theory of Cryptography Library (1999), Available at:
  31. 31.
    van Oorschot, P.: Extending cryptographic logics of belief to key agreement protocols. In: Proceedings, 1st ACM Conference on Computer and Communications Security, Fairfax, Virginia, pp. 232–243 (November 1993)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  1. 1.EE DepartmentTechnionHaifaIsrael
  2. 2.IBM T.J. Watson Research Center 

Personalised recommendations