SIGMA and the cryptographic rationale for IKE exchanges

[Hugo Krawczyk <hugo@ee.technion.ac.il>]

A paper describing the rationale of the design of the SIGMA 
key-exchange protocols that served as the cryptographic basis for the
signature modes of IKE and the current revised exchanges in ikev2 (and
jfk-r) is available from
http://www.ee.technion.ac.il/~hugo/sigma.ps 
(you can also download sigma.pdf but I do not guarantee its font 
quality...)

I will make a short announcement about this paper during the ipsec meeting 
in Atlanta which may give an opprtunity for some off-line discussions.

I am posting the paper now.
Check in the next weeks for updates.
The abstract is attached.

Hugo

Title:

SIGMA: the `SIGn-and-MAc' Approach to Authenticated Diffie-Hellman
and its Use in the IKE Protocols

Abstract:

We present the SIGMA key-exchange protocols and the ``SIGn-and-MAc"
approach to authenticated Diffie-Hellman that stands at the core of the
cryptographic design of SIGMA. The SIGMA protocols provide perfect forward
secrecy via a Diffie-Hellman exchange authenticated with digital
signatures. They are specifically designed to provide a variety of
features and trade-offs required in practical scenarios (such as optional
identity protection and reduced number of protocol rounds) as well as to
enjoy sound cryptographic security. In particular, the SIGMA protocols
serve as the cryptographic basis for the signature-based modes of the
standarized Internet Key Exchange (IKE) protocol, and are also used in the
ongoing revision of this standard.
 
This paper describes the design rationale behind the SIGMA approach and
protocols, and points out to many subtleties surrounding the design
of secure key-exchange protocols in general, and identity-protecting
protocols in particular.  We motivate the design of SIGMA by comparing
it to other protocols, most notable the STS protocol and its variants.
In particular, it is shown how SIGMA solves some of the security
shortcomings found in previous protocols.