The station-to-station (STS) protocol  uses a signature in the exchanged messages to add authentication to the well-known Diffie-Hellman protocol . This uses arithmetic in the multiplicative group of a finite field of prime order with generator . Exponents x and y are chosen randomly by A and B respectively and are used to form the session key . The messages in a successful protocol run are as follows.
Here represents the signature by the principal X on the string in the brackets, while denotes encryption of message M using key K . The particular signature algorithm chosen does not matter for the protocol. Consider how the good key goal is achieved for A .
Thus it appears that A gains key confirmation, as well as good key with B , from message 2. With regard to user oriented goals, it seems clear that both users achieve liveness of the other, since each receives a signed message containing a value it knows to be fresh. Entity authentication is more problematic since there is no explicit inclusion of identifiers in the signed messages which could be used to deduce the desired communications partner. Recently Lowe  has proposed an attack on the STS protocol. The attack does not affect the key establishment properties but is addressed at whether entity authentication is achieved.
Suppose I is an intruder who wishes to attack the protocol.
The attack runs as follows, where denotes I masquerading as principal X .
The attack is very simple; I is doing little more than relaying each message that passes between A and B . What is the result? B has no indication that A has engaged in the protocol and yet A has completed a successful run, apparently with B .
Is this a successful attack on the STS protocol? The answer must be that is depends what it was believed that STS achieves.
Thus the attack is valid if mutual belief in the key was a protocol goal. It may also be valid if entity authentication was a goal. However, it is interesting to note that Syverson and Van Oorschot prove in their logic  that the protocol satisfies their goal SVO2, which they term entity authentication. Lowe proposes  that the identity of the other party be included in the signatures in order to overcome the attack. This also allows an informal argument that the extensional definition of entity authentication is achieved, if the included identifier is interpreted as the name of the entity with which communication is desired.