Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.

Published byClifford Stanley Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007."— Presentation transcript:

1 1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007

2 2 Outline  The basic foundation: multiplicative group modulo prime  The basic Diffie-Hellman (DH) protocol The discrete logarithm problem  The basic protocol is insecure: Spoofing attacks Subgroup attacks  Use a safe prime approach to address the second insecurity issue. An enhanced DH protocol

3 3 Motivation for the DH protocol  Using a secret-key cryptosystem, how many secret keys are needed for a group of n people to communicate? C(n, 2) = n(n–1)/2 = O(n 2 ) Managing a large number of keys is another problem. With or without a trusted third party, such as a key server.  Whitfield Diffie and Martin Hellman asked Whether this can be done more efficiently by having the encryption and decryption keys different. Came up the Diffie-Hellman (DH) protocol, which is a partial solution. Agree on a secret key over an insecure channel.

4 4 Multiplicative group modulo prime  The DH protocol derives a secret key from Z * p, the multiplicative group modulo p. Z * p ={1, 2, 3, …, p1} under modulo multiplication operations. p is a very large prime (e.g., 2000-4000 bits long).  Z * p under modulo multiplication operations is a group. Closure, associativity, commutative The element 1 is the identity. Each member has a unique inverse.

5 5 For example, p = 7  Z * 7 = {1, 2, 3, …, 6} 1’s inverse is 1 2’s inverse is 4 3’s inverse is 5 4’s inverse is 2 5’s inverse is 3 6’s inverse is 6  Generally, 1’s inverse is 1 p1’s inverse is p1 (why?). There are methods to find the verses for other elements between 1 and p1.

6 6 Primitive elements  There exists at least a primitive element in Z * p that can generate the entire Z * p by exponentiations.  For Z * 7, 3 is a primitive, because 3 0 mod 7 = 1, 3 1 mod 7 = 3, 3 2 mod 7 = 2, 3 3 mod 7 = 6, 3 4 mod 7 = 4, 3 5 mod 7 = 5, 3 6 mod 7 = 1, …  You can show that 5 is another primitive element.

7 7 For other elements: 1, 2, 4, 6,  1 0 mod 7 = 1,  1 1 mod 7 = 1, ……  ------------------  2 0 mod 7 = 1,  2 1 mod 7 = 2,  2 2 mod 7 = 4,  2 3 mod 7 = 1, ……  4 0 mod 7 = 1,  4 1 mod 7 = 4,  4 2 mod 7 = 2,  4 3 mod 7 = 1, ……  ------------------  6 0 mod 7 = 1,  6 1 mod 7 = 6,  6 2 mod 7 = 1, ……

8 8 Subgroups and order  For any divisor of p–1, say d, there is a single subgroup of size d.  For p = 7 again, p – 1 = 6 and its divisors are 1, 2, 3, 6. A subgroup of size 1: {1} A subgroup of size 2: {1,6} A subgroup of size 3: {1,2,4} A subgroup of size 6: {1,2,3,4,5,6}.  Order of an element Order of 1 is 1, because 1 1 mod 7 = 1. Order of 6 is 2, because 6 2 mod 7 = 1. Order of 2 and 4 is 3. Order of 3 and 5 is 6.

9 9 The basic DH protocol  Agree on a large prime p and a primitive element g in Z * p (g is also called a generator). Both p and g are not secrets.  Alice (Bob) chooses a random x (y) in Z * p (1, 2, …, p–1) and computes g x mod p (g y mod p). Send the result to Bob (Alice), and the result is not a secret.  Alice computes the secret key k as (g y mod p) x mod p = g xy mod p.  Bob computes the secret key k as (g x mod p) y mod p = g xy mod p.  Note that k  Z * p.

10 10 The basic DH protocol

11 11 The discrete logarithm problem  Given the knowledge of p, g, g x mod p, and g y mod p, how does an attacker find g xy mod p?  The best method known is to solve the discrete logarithm problem. Given X = g x mod p, g, and p, find x (x = log g X). Analogous to computing logarithm in real numbers. With x and g y mod p, one can compute g xy mod p.

12 12 For example,  p = 13 and g = 2 is a primitive element Given g x mod p = 1, x = 0 Given g x mod p = 2, x = 1 Given g x mod p = 3, x = 4 Given g x mod p = 4, x = 2 …  Solving the discrete logarithm problem Exhaustive search by computing g 1, g 2, g 3, …, until g x is found. Precompute all possible values of g i, and then sort the list of ordered pairs (i, g i ) with respect to the second component. Perform a binary search for g x. Many other smart algorithms

13 13 A spoofing attack  The basic DH protocol does not protect against the man-in-the-middle attack.  Alice cannot authenticate whether the other side is Bob, and vice versa.  Instead, Eve establishes secret keys with Alice and Bob. Eve can relay the message so that both sides are not aware of the attack. Need authentication mechanisms.

14 14 A spoofing attack

15 15 Attacks on reducing the set of keys  Problem 1: Reducing the order to 1. Eve can intercept g x mod p and g y mod p, and replace them with 1. Therefore, k = 1.  Problem 2: Reducing the order to significantly less than p – 1. g may not be a primitive element of Z * p, therefore which may have a small order. Eve intercepts g x mod p and replaces it with h where h has a small order.

16 16 Avoiding small subgroups  If p is a large prime, then p–1 is always even. Therefore, There is a subgroup of size 1. There is a subgroup of size p–1. There are possibly other subgroups, some of them may be too small to be secure.  Use a safe prime to avoid small subgroups other than the one with size 2, which always present.

17 17 A safe prime approach  A safe prime is a large enough prime p = 2q + 1, where q is also a prime. p–1’s divisors are 1, 2, q, 2q. Reason for having q as a prime?  Now, Z * p for such a safe prime has the following subgroups. {1} {1, p–1} A subgroup of size q A subgroup of size 2q (the full group)  The first 2 subgroups are easy to avoid.  Use either the subgroup of size q or the full group.

18 18 Why the full group is not secure?  Consider the set of numbers in Z * p that can be written as a square of another number in Z * p.  For example, p = 7 1 2 mod 7 = 1 2 2 mod 7 = 4 3 2 mod 7 = 2 4 2 mod 7 = 2 5 2 mod 7 = 4 6 2 mod 7 = 1  {1, 2, 4} is a set of squares for p = 7. Note that it is a subgroup. {3, 5, 6} is a set of nonsquares.  Exactly half the numbers in 1, …, p–1 are squares.  Note that any generator of the entire group must be a nonsquare (why?).  g n is a square (nonsquare) when n is even (odd).

19 19 This is the problem:  Assume that g is a nonsquare and Alice sends out g x mod p to Bob. That is, use the full group.  Assume that Eve can determine whether g and g x mod p are squares or not. In this case, g is a nonsquare.  What can Eve know about x from g and g x mod p? If g x mod p is a square, then x is even. If g x mod p is a nonsquare, then x is odd.  That is, Eve knows about the last bit of x.

20 20 Use the subgroup of size q  The solution is to use the subgroup of size q, which contains the set of squares. A square will only generate a square. For p = 7, we use the subgroup {1, 2, 4}.  To sum up: Choose (p, q) such that p = 2q + 1, and both p and q are prime. Choose a random number  in the range [2, p–2] and set g =  2 mod p. Make sure g  1 and g  p–1.  In other words, Alice and Bob will agree on (p, q, g) at the beginning of the DH protocol.

21 21 The final DH protocol

22 22 Summary  The DH protocol is based on the difficulty of solving the discrete logarithm problem.  However, with a trapdoor (x or y), the computation of the key becomes very easy.  There are other public-key cryptosystems based on the discrete logarithm problem, such as the ElGamal algorithm and Elliptic Curves.  We will revisit the DH protocol in the Internet Key Exchange protocol. Cookies for denial-of-service attacks Authentication schemes for the man-in-the-middle attack.

23 23 Acknowledgments  The notes are prepared mostly based on N. Ferguson and B. Schneier, Practical Cryptography, Wiley, 2003. D. Stinson, Cryptography: Theory and Practice, Chapman & Hall/CRC, Second Edition, 2002.

Download ppt "1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007."

Similar presentations

The Diffie-Hellman Algorithm

The Diffie-Hellman Algorithm
Diffie-Hellman Diffie-Hellman is a public key distribution scheme First public-key type scheme, proposed in 1976.

Diffie-Hellman Diffie-Hellman is a public key distribution scheme First public-key type scheme, proposed in 1976.
Public Key Cryptography Nick Feamster CS 6262 Spring 2009.

Public Key Cryptography Nick Feamster CS 6262 Spring 2009.
Public Key Cryptography INFSCI 1075: Network Security – Spring 2013 Amir Masoumzadeh.

Public Key Cryptography INFSCI 1075: Network Security – Spring 2013 Amir Masoumzadeh.
1 390-Elliptic Curves and Elliptic Curve Cryptography Michael Karls.

1 390-Elliptic Curves and Elliptic Curve Cryptography Michael Karls.
7. Asymmetric encryption-

7. Asymmetric encryption-
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Public Key Algorithms …….. RAIT M. Chatterjee.

Public Key Algorithms …….. RAIT M. Chatterjee.
95-712 OOP/Java1 Public Key Crytography From: Introduction to Algorithms Cormen, Leiserson and Rivest.

OOP/Java1 Public Key Crytography From: Introduction to Algorithms Cormen, Leiserson and Rivest.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie.

Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie.
Dr. Lo’ai Tawalbeh Fall 2005 Chapter 10 – Key Management; Other Public Key Cryptosystems Dr. Lo’ai Tawalbeh Computer Engineering Department Jordan University.

Dr. Lo’ai Tawalbeh Fall 2005 Chapter 10 – Key Management; Other Public Key Cryptosystems Dr. Lo’ai Tawalbeh Computer Engineering Department Jordan University.
CS470, A.SelcukPublic Key Cryptography1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukPublic Key Cryptography1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.

Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.
1 Pertemuan 08 Public Key Cryptography Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 08 Public Key Cryptography Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II.

ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.

Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.
Diffie-Hellman Key Exchange

Diffie-Hellman Key Exchange

Similar presentations

Ads by Google