Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.

Published byRandell Warner Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007."— Presentation transcript:

1 1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007

2 Rocky, K. C. Chang2 Outline  Multiplicative group modulo prime  The basic Diffie-Hellman (DH) protocol The discrete logarithm problem Man in the middle attack  Other security problems about the subgroups Using a safe prime Using a smaller subgroup  An enhanced DH protocol.

3 Rocky, K. C. Chang3 Motivation for the DH protocol  Using a secret-key cryptosystem, how many secret keys are needed for a group of n people to communicate? C(n, 2) = n(n–1)/2 = O(n 2 ) Managing a large number of keys is another problem.  Whitfield Diffie and Martin Hellman asked Whether this can be done more efficiently by having the encryption and decryption keys different. Came up the Diffie-Hellman (DH) protocol, which is a partial solution. Agree on a secret key over an insecure channel.

4 Rocky, K. C. Chang4 Multiplicative group modulo prime  Assume that p is a large prime (2000- 4000 bits long).  The DH protocol uses Z * p, the multiplicative group modulo p.  Recall that there exists at least a primitive element in Z * p. More precisely, there are (p–1) of them. Each one of them can generate the entire Z * p.

5 Rocky, K. C. Chang5 The basic DH protocol  Agree on a large prime p and a primitive element g in Z * p. Both p and g are not secrets.  Alice (Bob) chooses a random x (y) in Z * p (1, 2, …, p–1) and computes g x mod p (g y mod p). Send the result to Bob (Alice), and the result is not a secret.  Alice computes the secret key k as (g y mod p) x mod p = g xy mod p.  Bob computes the secret key k as (g x mod p) y mod p = g xy mod p.

6 Rocky, K. C. Chang6 The basic DH protocol

7 Rocky, K. C. Chang7 The discrete logarithm problem  Given the knowledge of p, g, g x mod p, and g y mod p, how does an attacker find g xy mod p?  The best method known is to solve the discrete logarithm problem. Given X = g x mod p, g, and p, find x (x = log g X). Analogous to computing logarithm in real numbers. With x and g y mod p, one can compute g xy mod p.

8 Rocky, K. C. Chang8 For example,  p = 13 and g = 2 is a primitive element Given g x mod p = 1, x = 0 Given g x mod p = 2, x = 1 Given g x mod p = 3, x = 4 Given g x mod p = 4, x = 2 …  Solving the discrete logarithm problem Exhaustive search by computing g 1, g 2, g 3, …, until g x is found. Precompute all possible values of g i, and then sort the list of ordered pairs (i, g i ) with respect to the second component. Perform a binary search for g x. Many other smart algorithms

9 Rocky, K. C. Chang9 Man-in-the-middle attack  The basic DH protocol does not protect against the man-in-the-middle attack.  Alice cannot authenticate whether the other side is Bob, and vice versa.  Instead, Eve establishes secret keys with Alice and Bob. Eve can relay the message so that both sides are not aware of the attack. Need authentication mechanisms.

10 Rocky, K. C. Chang10 Man-in-the-middle attack

11 Rocky, K. C. Chang11 Additional security problems  Problem 1: Eve can intercept g x mod p and g y mod p, and replace them with 1. Therefore, k = 1.  Problem 2: g may not be a primitive element of Z * p. The order of g (denoted by t) may not be large enough. Note that the key is in the set {1, g, g 2, …, g t-1 }. Eve can possibly search through all possible keys.

12 Rocky, K. C. Chang12 Additional security problems  For any divisor of p–1, say d, there is a single subgroup of size d. E.g., for p – 1 = 6, divisors = {1, 2, 3, 6}. There are a subgroup of size 1 ({1}), a subgroup of size 2 ({1,6}), a subgroup of size 3 ({1, 2, 4}), and a subgroup of size 6.  Problem 3: Eve intercepts g x mod p and replaces it with h, where h has a small order. Since k = h y mod p, the number of possible keys may not be large enough.  If p is a large prime, then p–1 is always even. Therefore, there is a subgroup of size 2: {1, p–1}. Use a safe prime to avoid small subgroups other than the one with size 2, which always present.

13 Rocky, K. C. Chang13 A safe prime approach  A safe prime is a large enough prime p = 2q + 1, where q is also a prime.  Now, Z * p for such a safe prime has the following subgroups. {1} {1, p–1} A subgroup of size q A subgroup of size 2q (the full group)  The first 2 subgroups are easy to avoid.  The full group has one more problem.

14 Rocky, K. C. Chang14 A safe prime approach  Consider the set of numbers in Z * p that can be written as a square of another number in Z * p.  For example, p = 7 1 2 mod 7 = 1 2 2 mod 7 = 4 3 2 mod 7 = 2 4 2 mod 7 = 2 5 2 mod 7 = 4 6 2 mod 7 = 1  {1, 2, 4} is a set of squares for p = 7.  Exactly half the numbers in 1, …, p–1 are squares.  Any generator of the entire group is a nonsquare (why?).

15 Rocky, K. C. Chang15 A safe prime approach group  The Legendre symbol can determine whether a number modulo p is a square or not.  Assume g is a nonsquare and Alice sends out g x to Bob.  Given that Eve can determine whether g and g x are squares, what can Eve know? If g x is a square, then x is even. If g x is a nonsquare, then x is odd. That is, Eve knows about the last bit of x.

16 Rocky, K. C. Chang16 A safe-prime approach  The solution is to use the subgroup of size q, which contains the set of squares. A square will only generate a square. For p = 7, we use the subgroup {1, 2, 4}.  To sum up: Choose (p, q) such that p = 2q + 1, and both p and q are prime. Choose a random number  in the range [2, p–2] and set g =  2 mod p. Make sure g  1 and g  p–1.

17 Rocky, K. C. Chang17 Enhancing the DH protocol  Decide on (p, q, g) according to the algorithm described on the last slide.  When Bob receives g x mod p from Alice, he can check whether the value is indeed from the subgroup consisting of squares. Use the Legendre symbol function, or Use: A number r is a square if and only if r q  1 (mod p) and r  1. Also avoid r = 1. E.g., p = 2  3 + 1 (q = 3)  2 is a square because 2 3 = 1 mod 7.  4 is a square because 4 3 = 1 mod 7.

18 Rocky, K. C. Chang18 A smaller-subgroup approach  The main disadvantage with the safe-prime approach is the computational workload. If p is n-bit long, then q is (n–1)-bit long. All exponents are n–1 bits long.  Another approach is to use a smaller subgroup. Choose q as a 256-bit prime (2 255 < q < 2 256 ). Find a much larger prime p = N  q + 1, where N is randomly chosen in some range.  N must be even: increase from 2 to a much larger even number Check whether p is prime.

19 Rocky, K. C. Chang19 Enhancing the DH protocol  Find an element of order q: Choose a random number  in the range [2, p–2] and set g =  N mod p. Make sure that g  1 and g q  1 (mod p).  Same as the last approach, Bob and Alice must check whether the received value comes from the subgroup generated by g. r q  1 (mod p) and 1 < r < p (including r  1).

20 Rocky, K. C. Chang20 The final DH protocol  Based on the second approach, both Alice and Bob check on (p, q, g): Both p and q are prime. q is 256 bits and p is sufficiently large (at least 2048 bits). q is divisor of p – 1 (p = N  q + 1). Choose a random number  in the range [2, p–2] and set g =  N mod p. g  1 and g q  1 (mod p).  Verify that the number received from the other side indeed comes from the subgroup: r q  1 (mod p) and 1 < r < p.

21 Rocky, K. C. Chang21 The final DH protocol

22 Rocky, K. C. Chang22 Summary  The DH protocol is based on the difficulty of solving the discrete logarithm problem.  However, with a trapdoor (x or y), the computation of the key becomes very easy.  There are other public-key cryptosystems based on the discrete logarithm problem, such as the ElGamal algorithm and Elliptic Curves.  We will revisit the DH protocol in the Internet Key Exchange protocol. Cookies for denial-of-service attacks Authentication schemes for the man-in-the-middle attack.

23 Rocky, K. C. Chang23 Acknowledgments  The notes are prepared mostly based on N. Ferguson and B. Schneier, Practical Cryptography, Wiley, 2003. D. Stinson, Cryptography: Theory and Practice, Chapman & Hall/CRC, Second Edition, 2002.

Download ppt "1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007."

Similar presentations

The Diffie-Hellman Algorithm

The Diffie-Hellman Algorithm
Public Key Cryptography Nick Feamster CS 6262 Spring 2009.

Public Key Cryptography Nick Feamster CS 6262 Spring 2009.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
7. Asymmetric encryption-

7. Asymmetric encryption-
Public Key Algorithms …….. RAIT M. Chatterjee.

Public Key Algorithms …….. RAIT M. Chatterjee.
Homework #4 Solutions Brian A. LaMacchia Portions © 2002-2006, Brian A. LaMacchia. This material is provided without.

Homework #4 Solutions Brian A. LaMacchia Portions © , Brian A. LaMacchia. This material is provided without.
UCB Security Jean Walrand EECS. UCB Outline Threats Cryptography Basic Mechanisms Secret Key Public Key Hashing Security Systems Integrity Key Management.

UCB Security Jean Walrand EECS. UCB Outline Threats Cryptography Basic Mechanisms Secret Key Public Key Hashing Security Systems Integrity Key Management.
HW6 due tomorrow Teams T will get to pick their presentation day in the order Teams T will get to pick their presentation day in the orderQuestions? Review.

HW6 due tomorrow Teams T will get to pick their presentation day in the order Teams T will get to pick their presentation day in the orderQuestions? Review.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie.

Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie.
Dr. Lo’ai Tawalbeh Fall 2005 Chapter 10 – Key Management; Other Public Key Cryptosystems Dr. Lo’ai Tawalbeh Computer Engineering Department Jordan University.

Dr. Lo’ai Tawalbeh Fall 2005 Chapter 10 – Key Management; Other Public Key Cryptosystems Dr. Lo’ai Tawalbeh Computer Engineering Department Jordan University.
CS470, A.SelcukPublic Key Cryptography1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukPublic Key Cryptography1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.

Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.
1 Pertemuan 08 Public Key Cryptography Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 08 Public Key Cryptography Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II.

ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.

Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.
Diffie-Hellman Key Exchange

Diffie-Hellman Key Exchange
CSCI 172/283 Fall 2010 Public Key Cryptography. New paradigm introduced by Diffie and Hellman The mailbox analogy: Bob has a locked mailbox Alice can.

CSCI 172/283 Fall 2010 Public Key Cryptography. New paradigm introduced by Diffie and Hellman The mailbox analogy: Bob has a locked mailbox Alice can.

Similar presentations

Ads by Google