11. Diffie-Hellman
- 2. Topics
• The Diffie-Hellman Function
• The Diffie-Hellman Problems
• Key Agreement Protocols
• Diffie-Hellman Protocols
• How Things Can Go Wrong
- 3. 1976
• Whitfield Diffie and Martin Hellman
• Published "New Directions in Cryptography"
• Revolutionized cryptography
• Specified a public-key distribution scheme
• The Diffie-Hellman (DH) protocol
• The basis for public-key encryption and
signatures
- 4. Key Agreement
• After exchanging a shared secret
• Parties turn the secret into a symmetric key
• Thus establishing a secure channel
- 6. The Group Zp*
• The integers 1, 2, 3, ... p-1
• Where p is prime
• In DH, the two parties choose random
elements a and b to be their secrets
• From the group
• Both parties also use a number g
• Which is not a secret
- 7. Alice and Bob
• They can both calculate gab by combining
public and secret information
Keep a secret
Transmit A = ga
Calculate gab = Ba
Keep b secret
Transmit B = gb
Calculate gab = Ab
- 8. Diffie-Hellman
• Alice calculates A = ga mod p
• and sends it to Bob
• Bob calculates B = gb mod p
• and sends it to Alice
• Alice calculates Ba mod p = gba mod p
• Bob calculates Ab mod p = gab mod p
• They now have the same shared secret
- 9. Key Derivation Function
(KDF)
• The shared secret is not used directly as the
key
• It's passed through a KDF to create a random-
looking value of the proper size
• A kind of hash function
- 10. Safe Primes
• Not all values of p and g work
• For highest security, both p and (p - 1) / 2
should be prime
• Those are called safe primes
• They don't have small subgroups
• That would limit the shared secret to a small
number of possible values
- 11. Safe Primes
• With safe primes even a g of 2 works
• But safe primes are slow to generate
• 1000x as long as generating mere random
primes
- 16. Eavesdropper
• Attacker knows only ga and gb
Keep a secret
Transmit A = ga
Calculate gab = Ba
Keep b secret
Transmit B = gb
Calculate gab = Ab
- 17. The Computational Diffie-
Hellman Problem (CDH)
• Consider an eavesdropper
• Compute the shared secret gab
• Given only the public values ga and gb
• And not the secrets a or b
• This might be easier than the DLP
• We don't know for sure
- 18. Number Sieve
• DH protocol with 2048 bit prime p provides 90
bits of security
• Same as RSA with a 2048-bit n
• Fastest known attack on Computational Diffie-
Hellman is the number field sieve
• Similar to the fastest known attack on RSA:
the "general number field sieve"
- 19. Decisional Diffie-Hellman
Problem (DDH)
• Attacker knows only ga and gb but wants shared secret gab
• Attacker can't deduce any portion of the shared secret
• Because the shared secret appears random
Keep a secret
Transmit ga
Keep b secret
Transmit gb
Attacker
wants shared
secret gab
- 20. Decisional Diffie-Hellman
Problem (DDH)
• If DDH is hard, then CDH is also hard
• DDH is less hard than CDH
• DDH hardness is a prime assumption in
cryptography
• Well-studied
• Both DDH and CDH are hard if the
parameters are well-chosen
- 22. A Non-DH Key Agreement
Protocol
• Authenticated Key Agreement (AKA)
• Used by 3G and 4G
• To establish secure communication between a
SIM card and a telecom operator
• Uses only symmetric-key operations
• Relies on a pre-shared secret K
- 24. Replay Attack
• Attacker captures pair (R, V1)
• Sends it to SIM card to open a new session
impersonating the telco
• To prevent this, protocol checks to make sure
R isn't reused
- 25. Compromised K
• Attacker who gets K
• Can perform MiTM attack and listen to all
cleartext communications
• Can impersonate either party
• Can record communications and later
decrypt them using the captured R values
- 26. Attack Models for
Key Agreement Protocols
• Eavesdropper
• Attacker is a MiTM
• Can record, modify, drop or inject messages
• To stop: protocol must not leak any
information about the shared secret
• Data leak
• Attacker gets the session key and all
temporary secrets
• But not long-term secret K
- 27. Attack Models for
Key Agreement Protocols
• Breach
• Attacker learns long-term key K
• Impossible to protect current session from
this attack
• But a protocol can protect other sessions
- 28. Security Goals
• Authentication
• Mutual authentication: each party can
authenticate to the other party
• Authenticated Key Agreement happens
when a protocol authenticates both parties
- 29. Security Goals
• Key control
• Neither party can control the final shared
secret
• The 3G/4G protocol lacks this property
• Because the operator chooses R
• Which entirely determines the final shared
key
- 30. Security Goals
• Forward secrecy
• Even if all long-term secrets are exposed
• Shared secrets from previous sessions are
not available
• 3G/4G protocol doesn't provide this
- 31. Performance
• Number of messages exchanged
• Message length
• Computations required
• Possibility of pre-computation
• The main cause of latency is usually
round-trip time
• Computation required also counts
- 32. Performance of 3G/4G
• Exchanges two messages of a few hundred
bits each
• Pre-computation is possible
• Operator can pick many values of R in
advance
- 38. Replay
• Eve can record and replay previous values of
A and sigA
• To pretend to be Alice
• Key confirmation prevents this
• Alice and Bob send a message to prove that
they both own the shared secret
- 39. Security Against Data Leaks
• If Eve has a, she can impersonate Alice
• To prevent this, integrate long-term keys into the
shared secret computation
- 41. MQV
• x and y are long-term private keys
• X and Y are long-term public keys
- 42. Data Leak
• Attacker who gets the ephemeral secrets a
and b
• Can't find the shared secret
• That would require knowing the long-term
private keys
- 43. Breach
• Attacker gets Alice's long-term private key x
• Previous sessions are still safe
• Because they used Alice's ephemeral private
keys
• There is an attack that could compromise a
targeted old session
• It can be mitigated by a key-confirmation
step
- 44. MQV Rarely Used
• Was encumbered by patents
• Complex and difficult to implement
• Authenticated DH is simpler and regarded as
good enough
- 46. Not Hashing the Shared
Secret
• The shared secret gab is not a session key
• A symmetric key should look random
• Every bit should be 50% likely to be 0
• But gab is in the range 1, 2, ... p
• High-order bit more likely to be 0
• Use a KDF to convert the secret to a key
- 47. Legacy DH in TLS
• Old cipher suites uses Anonymous DH
• TLS_DH_anon_WITH_AES_128_CBC_SHA
• TLS_DH_ANON_AES_128_CBC_SHA1
• TLS_DH_anon_WITH_AES_128_CBC_SHA
• ADH-AES128-SHA
• Link Ch 11i
- 48. Unsafe Group Parameters
• OpenSSL allowed unsafe primes p
• Attacker can craft DH parameters that reveal
information about the private key
• Fixed in 2016