Transcript CSIS 5857

Diffie-Hellman Key Exchange
CSCI 5857: Encoding and Encryption
Outline
•
•
•
•
•
•
Key exchange without public/private keys
Public and private components of Diffie-Hellman
Secure information exchange in Diffie-Hellman
Underlying mathematics
Man-in-the-middle attack
Station-to-station key exchange
Diffie-Hellman Key Exchange
• Common goal of public key encryption:
Securely agree upon a symmetric key
–
–
–
–
Bob generates symmetric key KS
Encrypts with Alice’s public key KAPU and sends to Alice
Alice decrypts with her private key KAPR
Then use KS to exchange information (using AES, 3DES, etc.)
• Problem: What if neither Alice or Bob have a public key?
• Diffie-Hellman key exchange (1976 – precedes RSA)
– Allows two people to securely generate a symmetric key
without a preexisting public key
– Based on modular logarithms
Secure Key Generation
• Alice, Bob exchange data to securely generate a value
– Data transmitted doesn’t allow others to find that value
• That value used as symmetric key to send further
information
Public info
Private info
generator
P
E
Public info
Private info
generator
Esymmetric (P, kS)
D
P
Public and Private Information
• Public information (known to Alice, Bob, and everyone):
– p: large prime number (at least 1024 bits)
– g: Primitive root “generator” (g < p)
• Private information
– x: random number created (and only known) by Alice
– y: random number created (and only known) by Bob
– x and y used to generate shared key k
Knows p, g
Generates x
Knows p, g
Generates y
5
Key Generation
•
•
•
•
Alice computes R1 = gx mod p
Bob computes R2 = gy mod p
Alice sends R1 to Bob
Bob sends R2 to Alice
6
Security of Key Generation
• Darth cannot derive x from R1 or y from R2
• Would have to solve modular logarithm problem
– x = logg (R1 mod p)
– y = logg (R2 mod p)
7
Key Computation
• Alice computes k = R2 x mod p
• Bob computes k = R1 y mod p
• Alice, Bob now have shared key k
– Nobody else can compute without knowing x or y
– No secret information transmitted!
8
Diffie-Hellman Mathematics
• Alice’s POV: k = R2 x mod p
= (gy mod p)x mod p
= gyx mod p
• Bob’s POV: k = R1 y mod p
= (gx mod p)y mod p
= gxy mod p
• gyx mod p = gxy mod p = k
9
Diffie-Hellman Example
Public key: g = 7, p = 23
Chooses x = 3
R1 = 73 mod 23 = 21
4
K = 43 mod 23 = 18
Chooses y = 6
R2 = 76 mod 23 = 4
21
K = 216 mod 23 = 18
10
Man-in-the-Middle Attack
• Most serious weakness in Diffie-Hellman
• Assumes Darth has ability to:
– Intercept messages between Alice and Bob
– Masquerade as Alice or Bob to send messages to
the other
“I am Bob”
“I am Alice”
11
Man-in-the-Middle Attack
• Darth generates own random value z
• Computes own R3 = gz mod p from public values of
p, g
• Goal:
Trick Alice and Bob into using keys he has created
from z
12
Man-in-the-Middle Attack
• Darth intercepts R1 sent by Alice
and R2 sent by Bob
• Computes kAlice = R1 z mod p
• Computes kBob = R2 z mod p
R1
x
R2
z
R3
kAlice kBob
y
13
Man-in-the-Middle Attack
• Darth sends R3 to Alice posing as Bob
• Darth sends R3 to Bob posing as Alice
• Alice computes kAlice = R3 x mod p
• Bob computes kBob = R3 y mod p
R3
R3
kAlice
kAlice kBob
kBob
14
Man-in-the-Middle Attack
• Darth can read messages sent by Alice and Bob!
• Example: Message sent from Alice to Bob
– Alice encrypts with kAlice believing it is secure
– Darth intercepts and decrypts with kAlice
– Re-encrypts with kBob and sends to Bob (posing as Alice
C = E(P, kAlice)
C = E(P, kBob)
P = D(C, kAlice)
15
Station-to-Station Key Agreement
• Participants in Diffie-Hellman must authenticate
their identities
– Only solution to Man-in-the-Middle attack
• Authentication usually based on certificates
– Signed by trusted authorities
– Contain public keys for participants
16
Station-to-Station Key Agreement
17