In public-key cryptography, the Station-to-Station (STS) protocol is a cryptographic key agreement scheme.
In addition to protecting the established key from an attacker, the STS protocol uses no timestamps and provides perfect forward secrecy.
In the following explanations, exponentiation (Diffie–Hellman) operations provide the basis for key agreement, though this is not a requirement.
Diffie, van Oorschot & Wiener (1992) recommend against special checks to prevent this and instead suggest including the group parameters in Alice's certificate.
A simplified form of STS is available that provides mutual authentication but does not produce a shared secret.
Blake-Wilson & Menezes (1999) note that this variation may be preferable to original STS ("STS-ENC") in any case because The paper goes on to counsel, however, that using K for both a MAC and as the session key violates the principle that keys should not be used for more than one purpose, and presents various workarounds.