[cryptography] Why TLS? Why not modern authenticated D-H exchange?

Thierry Moreau thierry.moreau at connotech.com
Tue Sep 6 11:43:11 EDT 2016

Dear applied cryptographers ...

The STS protocol (Station-To-Station) evolved into Hugo Krawczyk SIGMA 
(Sign-and-MAC) variant which is now found in IPSEC IKE and HIP (Host 
Identity Protocol, IETF RFC7401).

However, if one wants to consider this as an alternative to TLS, 
documentation sources are few and either too academic or too overloaded 
with protocol details detracting from the security properties.

I did face this situation while looking for a basic authenticated key 
establishment protocol. STS has been the very first secure protocol to 
which I was exposed decades ago, but recently I could not recognize its 
features/properties in any TLS deployment profile. So I researched the 
STS impact on modern protocols and I recorded my findings in this document:

"The Classical Authenticated Diffie-Hellman Exchange Revisited (with the 
Bladderwort Protocol Feature Addition)"



When a secure data communications channel between two distant server 
systems must be established, the TLS (Transport Layer Security) is the 
solution that comes first to the mind of IT security experts. Departing 
from this default common wisdom, we revisit the authenticated 
Diffie-Hellman exchange as a solution well rooted in the early ideas in 
the field of public key cryptography, refined by the dedication of 
theoreticians, and entrenched in a few (less conspicuous) Internet 
secure protocol standards, namely IPSEC IKE and HIP. Under the name 
Bladdarwort, we also propose a minor protocol addition for streamlined 
server operations where a long-term private signature key is better kept 
off-line during the operational phase of the secure communications channel.

I guess the end result holds important lessons, as a straightforward 
solution path for a basic and recurring issue in IT security. Yet, the 
difficult aspects of applied cryptography remain difficult, the document 
being explicit about them.

Thus, why TLS?

- Thierry Moreau

More information about the cryptography mailing list