SlideShare a Scribd company logo

11. Diffie-Hellman

Sam Bowne
Sam Bowne

The document discusses the Diffie-Hellman key exchange protocol. It describes how Diffie-Hellman works by having two parties agree on a shared secret over an insecure channel without transmitting the secret itself. It also covers potential issues like using proper cryptographic techniques to derive keys from the shared secret and using safe prime numbers to prevent attacks.

Related slideshows

Ch02...1
Ch02...1Ch02...1
Ch02...1
 
IP Sec - Basic Concepts
IP Sec - Basic ConceptsIP Sec - Basic Concepts
IP Sec - Basic Concepts
 
Asymmetric Cryptography.pptx
Asymmetric Cryptography.pptxAsymmetric Cryptography.pptx
Asymmetric Cryptography.pptx
 
1 of 49
Download to read offline
CNIT 141 Cryptography for Computer Networks 11. Diffie-Hellman Updated 11-23-22
Topics • The Diffie-Hellman Function • The Diffie-Hellman Problems • Key Agreement Protocols • Diffie-Hellman Protocols • How Things Can Go Wrong
1976 • Whitfield Diffie and Martin Hellman • Published "New Directions in Cryptography" • Revolutionized cryptography • Specified a public-key distribution scheme • The Diffie-Hellman (DH) protocol • The basis for public-key encryption and signatures
Key Agreement • After exchanging a shared secret • Parties turn the secret into a symmetric key • Thus establishing a secure channel
The Diffie-Hellman Function
The Group Zp* • The integers 1, 2, 3, ... p-1 • Where p is prime • In DH, the two parties choose random elements a and b to be their secrets • From the group • Both parties also use a number g • Which is not a secret
Alice and Bob • They can both calculate gab by combining public and secret information Keep a secret Transmit A = ga Calculate gab = Ba Keep b secret Transmit B = gb Calculate gab = Ab
Diffie-Hellman • Alice calculates A = ga mod p • and sends it to Bob • Bob calculates B = gb mod p • and sends it to Alice • Alice calculates Ba mod p = gba mod p • Bob calculates Ab mod p = gab mod p • They now have the same shared secret
Key Derivation Function (KDF) • The shared secret is not used directly as the key • It's passed through a KDF to create a random- looking value of the proper size • A kind of hash function
Safe Primes • Not all values of p and g work • For highest security, both p and (p - 1) / 2 should be prime • Those are called safe primes • They don't have small subgroups • That would limit the shared secret to a small number of possible values
Safe Primes • With safe primes even a g of 2 works • But safe primes are slow to generate • 1000x as long as generating mere random primes
Generating 2048-bit DH • 154 seconds
Generating 2048-bit RSA • 0.17 seconds
The Diffie-Hellman Problems
Discrete Logarithm Problem • Public value: ga • Secret value: a • Recovering a from ga is the DLP • Diffie-Hellman's security depends on the DLP's hardness
Eavesdropper • Attacker knows only ga and gb Keep a secret Transmit A = ga Calculate gab = Ba Keep b secret Transmit B = gb Calculate gab = Ab
The Computational Diffie- Hellman Problem (CDH) • Consider an eavesdropper • Compute the shared secret gab • Given only the public values ga and gb • And not the secrets a or b • This might be easier than the DLP • We don't know for sure
Number Sieve • DH protocol with 2048 bit prime p provides 90 bits of security • Same as RSA with a 2048-bit n • Fastest known attack on Computational Diffie- Hellman is the number field sieve • Similar to the fastest known attack on RSA: the "general number field sieve"
Decisional Diffie-Hellman Problem (DDH) • Attacker knows only ga and gb but wants shared secret gab • Attacker can't deduce any portion of the shared secret • Because the shared secret appears random Keep a secret Transmit ga Keep b secret Transmit gb Attacker wants shared secret gab
Decisional Diffie-Hellman Problem (DDH) • If DDH is hard, then CDH is also hard • DDH is less hard than CDH • DDH hardness is a prime assumption in cryptography • Well-studied • Both DDH and CDH are hard if the parameters are well-chosen
Key Agreement Protocols
A Non-DH Key Agreement Protocol • Authenticated Key Agreement (AKA) • Used by 3G and 4G • To establish secure communication between a SIM card and a telecom operator • Uses only symmetric-key operations • Relies on a pre-shared secret K
11. Diffie-Hellman
Replay Attack • Attacker captures pair (R, V1) • Sends it to SIM card to open a new session impersonating the telco • To prevent this, protocol checks to make sure R isn't reused
Compromised K • Attacker who gets K • Can perform MiTM attack and listen to all cleartext communications • Can impersonate either party • Can record communications and later decrypt them using the captured R values
Attack Models for Key Agreement Protocols • Eavesdropper • Attacker is a MiTM • Can record, modify, drop or inject messages • To stop: protocol must not leak any information about the shared secret • Data leak • Attacker gets the session key and all temporary secrets • But not long-term secret K
Attack Models for Key Agreement Protocols • Breach • Attacker learns long-term key K • Impossible to protect current session from this attack • But a protocol can protect other sessions
Security Goals • Authentication • Mutual authentication: each party can authenticate to the other party • Authenticated Key Agreement happens when a protocol authenticates both parties
Security Goals • Key control • Neither party can control the final shared secret • The 3G/4G protocol lacks this property • Because the operator chooses R • Which entirely determines the final shared key
Security Goals • Forward secrecy • Even if all long-term secrets are exposed • Shared secrets from previous sessions are not available • 3G/4G protocol doesn't provide this
Performance • Number of messages exchanged • Message length • Computations required • Possibility of pre-computation • The main cause of latency is usually round-trip time • Computation required also counts
Performance of 3G/4G • Exchanges two messages of a few hundred bits each • Pre-computation is possible • Operator can pick many values of R in advance
Diffie-Hellman Protocols
Anonymous Diffie-Hellman • Not authenticated • Vulnerable to MiTM attack (next slide)
11. Diffie-Hellman
Authenticated Diffie-Hellman • Uses public-key signatures to sign messages • With a system such as RSA-PSS (Probabilistic Signature Scheme)
Security Against Eavesdroppers • Authenticated DH stops eavesdroppers • Attacker can't learn the shared secret gab • Neither party can control the shared secret
Replay • Eve can record and replay previous values of A and sigA • To pretend to be Alice • Key confirmation prevents this • Alice and Bob send a message to prove that they both own the shared secret
Security Against Data Leaks • If Eve has a, she can impersonate Alice • To prevent this, integrate long-term keys into the shared secret computation
Memezes-Qu-Vanstone MQV • Improved version of DH, designed in 1998 • NSA included it in Suite B • Designed to protect most critical assets • More secure than authenticated DH • Better performance
MQV • x and y are long-term private keys • X and Y are long-term public keys
Data Leak • Attacker who gets the ephemeral secrets a and b • Can't find the shared secret • That would require knowing the long-term private keys
Breach • Attacker gets Alice's long-term private key x • Previous sessions are still safe • Because they used Alice's ephemeral private keys • There is an attack that could compromise a targeted old session • It can be mitigated by a key-confirmation step
MQV Rarely Used • Was encumbered by patents • Complex and difficult to implement • Authenticated DH is simpler and regarded as good enough
How Things Can Go Wrong
Not Hashing the Shared Secret • The shared secret gab is not a session key • A symmetric key should look random • Every bit should be 50% likely to be 0 • But gab is in the range 1, 2, ... p • High-order bit more likely to be 0 • Use a KDF to convert the secret to a key
Legacy DH in TLS • Old cipher suites uses Anonymous DH • TLS_DH_anon_WITH_AES_128_CBC_SHA • TLS_DH_ANON_AES_128_CBC_SHA1 • TLS_DH_anon_WITH_AES_128_CBC_SHA • ADH-AES128-SHA • Link Ch 11i
Unsafe Group Parameters • OpenSSL allowed unsafe primes p • Attacker can craft DH parameters that reveal information about the private key • Fixed in 2016
11. Diffie-Hellman

More Related Content

11. Diffie-Hellman

  • 1. CNIT 141 Cryptography for Computer Networks 11. Diffie-Hellman Updated 11-23-22
  • 2. Topics • The Diffie-Hellman Function • The Diffie-Hellman Problems • Key Agreement Protocols • Diffie-Hellman Protocols • How Things Can Go Wrong
  • 3. 1976 • Whitfield Diffie and Martin Hellman • Published "New Directions in Cryptography" • Revolutionized cryptography • Specified a public-key distribution scheme • The Diffie-Hellman (DH) protocol • The basis for public-key encryption and signatures
  • 4. Key Agreement • After exchanging a shared secret • Parties turn the secret into a symmetric key • Thus establishing a secure channel
  • 6. The Group Zp* • The integers 1, 2, 3, ... p-1 • Where p is prime • In DH, the two parties choose random elements a and b to be their secrets • From the group • Both parties also use a number g • Which is not a secret
  • 7. Alice and Bob • They can both calculate gab by combining public and secret information Keep a secret Transmit A = ga Calculate gab = Ba Keep b secret Transmit B = gb Calculate gab = Ab
  • 8. Diffie-Hellman • Alice calculates A = ga mod p • and sends it to Bob • Bob calculates B = gb mod p • and sends it to Alice • Alice calculates Ba mod p = gba mod p • Bob calculates Ab mod p = gab mod p • They now have the same shared secret
  • 9. Key Derivation Function (KDF) • The shared secret is not used directly as the key • It's passed through a KDF to create a random- looking value of the proper size • A kind of hash function
  • 10. Safe Primes • Not all values of p and g work • For highest security, both p and (p - 1) / 2 should be prime • Those are called safe primes • They don't have small subgroups • That would limit the shared secret to a small number of possible values
  • 11. Safe Primes • With safe primes even a g of 2 works • But safe primes are slow to generate • 1000x as long as generating mere random primes
  • 15. Discrete Logarithm Problem • Public value: ga • Secret value: a • Recovering a from ga is the DLP • Diffie-Hellman's security depends on the DLP's hardness
  • 16. Eavesdropper • Attacker knows only ga and gb Keep a secret Transmit A = ga Calculate gab = Ba Keep b secret Transmit B = gb Calculate gab = Ab
  • 17. The Computational Diffie- Hellman Problem (CDH) • Consider an eavesdropper • Compute the shared secret gab • Given only the public values ga and gb • And not the secrets a or b • This might be easier than the DLP • We don't know for sure
  • 18. Number Sieve • DH protocol with 2048 bit prime p provides 90 bits of security • Same as RSA with a 2048-bit n • Fastest known attack on Computational Diffie- Hellman is the number field sieve • Similar to the fastest known attack on RSA: the "general number field sieve"
  • 19. Decisional Diffie-Hellman Problem (DDH) • Attacker knows only ga and gb but wants shared secret gab • Attacker can't deduce any portion of the shared secret • Because the shared secret appears random Keep a secret Transmit ga Keep b secret Transmit gb Attacker wants shared secret gab
  • 20. Decisional Diffie-Hellman Problem (DDH) • If DDH is hard, then CDH is also hard • DDH is less hard than CDH • DDH hardness is a prime assumption in cryptography • Well-studied • Both DDH and CDH are hard if the parameters are well-chosen
  • 22. A Non-DH Key Agreement Protocol • Authenticated Key Agreement (AKA) • Used by 3G and 4G • To establish secure communication between a SIM card and a telecom operator • Uses only symmetric-key operations • Relies on a pre-shared secret K
  • 24. Replay Attack • Attacker captures pair (R, V1) • Sends it to SIM card to open a new session impersonating the telco • To prevent this, protocol checks to make sure R isn't reused
  • 25. Compromised K • Attacker who gets K • Can perform MiTM attack and listen to all cleartext communications • Can impersonate either party • Can record communications and later decrypt them using the captured R values
  • 26. Attack Models for Key Agreement Protocols • Eavesdropper • Attacker is a MiTM • Can record, modify, drop or inject messages • To stop: protocol must not leak any information about the shared secret • Data leak • Attacker gets the session key and all temporary secrets • But not long-term secret K
  • 27. Attack Models for Key Agreement Protocols • Breach • Attacker learns long-term key K • Impossible to protect current session from this attack • But a protocol can protect other sessions
  • 28. Security Goals • Authentication • Mutual authentication: each party can authenticate to the other party • Authenticated Key Agreement happens when a protocol authenticates both parties
  • 29. Security Goals • Key control • Neither party can control the final shared secret • The 3G/4G protocol lacks this property • Because the operator chooses R • Which entirely determines the final shared key
  • 30. Security Goals • Forward secrecy • Even if all long-term secrets are exposed • Shared secrets from previous sessions are not available • 3G/4G protocol doesn't provide this
  • 31. Performance • Number of messages exchanged • Message length • Computations required • Possibility of pre-computation • The main cause of latency is usually round-trip time • Computation required also counts
  • 32. Performance of 3G/4G • Exchanges two messages of a few hundred bits each • Pre-computation is possible • Operator can pick many values of R in advance
  • 34. Anonymous Diffie-Hellman • Not authenticated • Vulnerable to MiTM attack (next slide)
  • 36. Authenticated Diffie-Hellman • Uses public-key signatures to sign messages • With a system such as RSA-PSS (Probabilistic Signature Scheme)
  • 37. Security Against Eavesdroppers • Authenticated DH stops eavesdroppers • Attacker can't learn the shared secret gab • Neither party can control the shared secret
  • 38. Replay • Eve can record and replay previous values of A and sigA • To pretend to be Alice • Key confirmation prevents this • Alice and Bob send a message to prove that they both own the shared secret
  • 39. Security Against Data Leaks • If Eve has a, she can impersonate Alice • To prevent this, integrate long-term keys into the shared secret computation
  • 40. Memezes-Qu-Vanstone MQV • Improved version of DH, designed in 1998 • NSA included it in Suite B • Designed to protect most critical assets • More secure than authenticated DH • Better performance
  • 41. MQV • x and y are long-term private keys • X and Y are long-term public keys
  • 42. Data Leak • Attacker who gets the ephemeral secrets a and b • Can't find the shared secret • That would require knowing the long-term private keys
  • 43. Breach • Attacker gets Alice's long-term private key x • Previous sessions are still safe • Because they used Alice's ephemeral private keys • There is an attack that could compromise a targeted old session • It can be mitigated by a key-confirmation step
  • 44. MQV Rarely Used • Was encumbered by patents • Complex and difficult to implement • Authenticated DH is simpler and regarded as good enough
  • 45. How Things Can Go Wrong
  • 46. Not Hashing the Shared Secret • The shared secret gab is not a session key • A symmetric key should look random • Every bit should be 50% likely to be 0 • But gab is in the range 1, 2, ... p • High-order bit more likely to be 0 • Use a KDF to convert the secret to a key
  • 47. Legacy DH in TLS • Old cipher suites uses Anonymous DH • TLS_DH_anon_WITH_AES_128_CBC_SHA • TLS_DH_ANON_AES_128_CBC_SHA1 • TLS_DH_anon_WITH_AES_128_CBC_SHA • ADH-AES128-SHA • Link Ch 11i
  • 48. Unsafe Group Parameters • OpenSSL allowed unsafe primes p • Attacker can craft DH parameters that reveal information about the private key • Fixed in 2016