Abstract
We present the SIGMA family of key-exchange protocols and the “SIGn-and-MAc” approach to authenticated Diffie-Hellman underlying its design. The SIGMA protocols provide perfect forward secrecy via a Diffie-Hellman exchange authenticated with digital signatures, and are specifically designed to ensure sound cryptographic key exchange while providing a variety of features and trade-offs required in practical scenarios (such as optional identity protection and reduced number of protocol rounds). As a consequence, the SIGMA protocols are very well suited for use in actual applications and for standardized key exchange. In particular, SIGMA serves as the cryptographic basis for the signature-based modes of the standardized Internet Key Exchange (IKE) protocol (versions 1 and 2).
This paper describes the design rationale behind the SIGMA approach and protocols, and points out to many subtleties surrounding the design of secure key-exchange protocols in general, and identity-protecting protocols in particular. We motivate the design of SIGMA by comparing it to other protocols, most notable the STS protocol and its variants. In particular, it is shown how SIGMA solves some of the security shortcomings found in previous protocols.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Aiello, B., Bellovin, S., Blaze, M., Canetti, R., Ioannidis, J., Keromytis, A., Reingold, O.: Efficient, DoS-Resistant Secure Key Exchange for Internet Protocols. ACM Computers and Communications Security conference, CCS (2002), http://www.research.att.com/~smb/papers/jfk-ccs.pdf
Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)
Bellovin, S.M.: Problem Areas for the IP Security Protocols., In: Proceedings of the Sixth Usenix Unix Security Symposium (1996)
Blake-Wilson, S., Menezes, A.: Unknown key-share attacks on the station-to- station (STS) protocol. In: Imai, H., Zheng, Y. (eds.) PKC 1999. LNCS, vol. 1560, pp. 154–170. Springer, Heidelberg (1999)
Burrows, M., Abadi, M., Needham, R.: A logic for authentication. ACM Trans. Computer Systems 8, 18–36 (1990)
Canetti, R., Krawczyk, H.: Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, p. 453. Springer, Heidelberg (2001); Full version in: Cryptology ePrint Archive, Report 2001/040, http://eprint.iacr.org/
Canetti, R., Krawczyk, H.: Security Analysis of IKE’s Signature-based Key- Exchange Protocol. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, p. 143. Springer, Heidelberg (2002); Full version in: Cryptology ePrint Archive, Report 2002/120, http://eprint.iacr.org/
Diffie, W., van Oorschot, P., Wiener, M.: Authentication and authenticated key exchanges. Designs, Codes and Cryptography 2, 107–125 (1992), Available at http://www.scs.carleton.ca/~paulv/papers/sts-final.ps
Ferguson, N., Schneier, B.: A Cryptographic Evaluation of IPSec (1999), http://www.counterpane.com/ipsec.html
Goldreich, O.: Foundations of Cryptography: Basic Tools. Cambridge Press, New York (2001)
Harkins, D., Carrel, D. (eds.): The Internet Key Exchange (IKE), RFC 2409 (November 1998)
ISO/IEC, I.S.: 9798-3, Entity authentication mechanisms — Part 3: Entity authentication using asymmetric techniques (1993)
Jutla, C.: Encryption Modes with Almost Free Message Integrity. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, p. 529. Springer, Heidelberg (2001)
Karn, P., Simpson, W.A.: The Photuris Session Key Management Protocol, draft-ietf-ipsec-photuris-03.txt (September 1995)
Kaliski, B.: An unknown key-share attack on the MQV key agreement protocol. ACM Transactions on Information and System Security (TISSEC) 4(3), 275–288 (2001)
Kaufman, C.: Internet Key Exchange (IKEv2) Protocol, draft-ietf-ipsec-ikev2- 07.txt (to be published as an RFC) (April 2003)
Kent, S., Atkinson, R.: Security Architecture for the Internet Protocol, Request for Comments 2401 (November 1998)
Kent, S., Atkinson, R.: IP Encapsulating Security Payload (ESP), Request for Comments 2406 (November 1998)
Krawczyk, H.: Communication to IPsec WG, IPsec mailing list archives, (April-October 1995), http://www.vpnc.org/ietf-ipsec/
Krawczyk, H.: SKEME: A Versatile Secure Key Exchange Mechanism for Internet. In: Proceedings of the 1996 Internet Society Symposium on Network and Distributed System Security, pp. 114–127 (February 1996) http://www.ee.technion.ac.il/~hugo/skeme-lncs.ps
Krawczyk, H., Bellare, M., Canetti, R.: HMAC: Keyed-Hashing for Message Authentication, RFC 2104 (February 1997)
Krawczyk, H.: Blinding of Credit Card Numbers in the SET Protocol. In: Franklin, M.K. (ed.) FC 1999. LNCS, vol. 1648, p. 17. Springer, Heidelberg (1999)
Krawczyk, H.: The order of encryption and authentication for protecting communications (Or: how secure is SSL?) In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, p. 310. Springer, Heidelberg (2001); Report 2001/045, Full version in: Cryptology ePrint Archive Report 2001/045, http://eprint.iacr.org/
Krawczyk, H.: SIGMA: the ‘SIGn-and-MAc’ Approach to Authenticated Diffie- Hellman and its Use in the IKE Protocols, full version, http://www.ee.technion.ac.il/~hugo/sigma.html
Lowe, G.: Some New Attacks upon Security Protocols. In: 9th IEEE Computer Security Foundations Workshop, pp. 162–169. IEEE Press, Los Alamitos (1996)
Meadows, C.: Analysis of the Internet Key Exchange Protocol Using the NRL Protocol Analyzer. In: Proc. of the 1999 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos (1999)
Menezes, A., Van Oorschot, P., Vanstone, S.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)
Orman, H.: The OAKLEY Key Determination Protocol, Request for Comments 2412 (November 1998)
Perlman, R., Kaufman, C.: Analysis of the IPsec key exchange Standard. In: WET-ICE Security Conference. MIT, Cambridge (2001)
Shoup, V.: On Formal Models for Secure Key Exchange, Theory of Cryptography Library (1999), Available at: http://philby.ucsd.edu/cryptolib/1999/99-12.html
van Oorschot, P.: Extending cryptographic logics of belief to key agreement protocols. In: Proceedings, 1st ACM Conference on Computer and Communications Security, Fairfax, Virginia, pp. 232–243 (November 1993)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Krawczyk, H. (2003). SIGMA: The ‘SIGn-and-MAc’ Approach to Authenticated Diffie-Hellman and Its Use in the IKE Protocols. In: Boneh, D. (eds) Advances in Cryptology - CRYPTO 2003. CRYPTO 2003. Lecture Notes in Computer Science, vol 2729. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-45146-4_24
Download citation
DOI: https://doi.org/10.1007/978-3-540-45146-4_24
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-40674-7
Online ISBN: 978-3-540-45146-4
eBook Packages: Springer Book Archive