Active Attacks on DH Key Exchange

1. Active Attacks on DH Key Exchange Dr. Dharma Ganesan, Ph.D.,

2. Table of Contents ● Objectives of the presentation ● Cryptography problem - Secret Key Exchange ● Cryptanalysis - How to break the crypto system ● Open problems ● Conclusion 2

3. Objectives ● Demonstrate how the basic Diffie-Hellman (DH) key exchange works ● Demonstrate how an active attacker can edit DH parameters ● Demonstrate how the man-in-the-middle obtains the shared secret key ○ when DH is used without digital signature 3

4. Alice Encrypts - Eve sees gibberish - Bob Decrypts 4 Hello Bob Encryption Algorithm (open to all) Secret key K 01534236 Secret Key K Decryption Algorithm (open to all) Hello Bob Note: The same secret key K is used by encryption and decryption algorithms Kerckhoff’s principle: The enemy (Eve) knows the encryption and decryption algorithms, but not the key

5. Problem: sender and receiver need the same key 5 Key K Key K ● Alice and Bob are too far away from each other ● They never met each other ● They cannot exchange the secret key publicly (Eve is listening) ● How can they arrive at the same secret key K?

6. 6 We have been (unknowingly) using the mod notation Let’s go to bed @ 21 hour 21 ≡ 9 (mod 12) Note: When 21 is divided by 12, 9 is the remainder What is 5*8 on this clock? 5*8 = 40 ≡ 4 (mod 12) Gauss developed the theory of modular arithmetic

7. 7 Cryptographers love mod and primes Cryptographers view this clock as follows: Z* 13 = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12} They use mod 13, which is a prime number Z* p = {1, 2, 3, …, p-1} i 1 2 3 4 5 6 7 8 9 10 11 12 2i 2 4 8 3 6 12 11 9 5 10 7 1 For example, 24 ≡ 3 (mod 13) 2 is a generator of this clock because it generates all hours from 1..12

8. Why cryptographers use mod and one-way functions? 8 ● In a clock, patterns are not that obvious to detect for Eve ● For example, 26 is greater than 27 in mod 13 ● Some problems are difficult to answer (without seeing the below table) ● For example, 2i ≡ 11 (mod 13), can you quickly find the i? i 1 2 3 4 5 6 7 8 9 10 11 12 2i 2 4 8 3 6 12 11 9 5 10 7 1 E a s y H a r d Cryptographers use one-way functions: Easy in one direction, but hard the other

9. Power rule of exponents (23 )4 = (23 )(23 )(23 )(23 ) = 212 (24 )3 = (24 )(24 )(24 ) = 212 So, (23 )4 = (24 )3 In general, (g𝑥 )𝑦 = (g 𝑦 )𝑥 = (g 𝑥𝑦 ) [Proof: Exercise] 9

10. Diffie-Hellman Key Exchange Algorithm ● In 1970s, they solved the problem of key exchange! ○ Using an one-way function (easy to compute, hard to reverse) ● Alice and Bob arrive at a shared secret key k ○ Using the power rule of exponents (no courier service) ● Eavesdropper Eve cannot easily derive the secret key k ○ Takes billions of years to solve by computers (at this time of writing) ● Diffie, W., and Hellman, M. New directions in cryptography ○ IEEE Trans. Inform. Theory IT-22, 6 (Nov. 1976), 644-654 10 Prof. Hellman (H) Diffie (D)

11. 11 Double the hours 5 times (i.e., 25 mod 13) Double the hours 4 times (i.e., 24 mod 13) Send the clock to Bob Send the clock to Alice Key Exchange - Visual Demo Triple the hours 5 times (i.e., 35 mod 13) Sixfold the hours 4 times (i.e., 64 mod 13) Both Alice and Bob arrive at the same key (9) Note: 5 and 4 are secrets

12. 12 Pick a random number 𝑥 Pick a random number 𝑦 Compute A = g𝑥 mod p Compute B = g𝑦 mod p Secret K = B𝑥 mod p Secret K = A𝑦 mod p Send A to Bob Send B to Alice Both Alice and Bob have the same secret key Eve sees A and B, but not 𝑥, 𝑦, or K Key Exchange Algorithm - Core Idea (assume that g and p are public)

13. 13 Pick a random number 𝑥 = 5 Pick a random number 𝑦 = 4 Compute A = 25 mod 13 Compute B = 24 mod 13 Secret K = 35 mod 13 = 9 Secret K = 64 mod 13 = 9 Send A = 6 to Bob Send B = 3 to Alice Both Alice and Bob have the secret key 9 DH Key Exchange - Example (g=2, p=13)

14. 14 How can Eve recover the secret key K? Option 1: ● Eve knows that the secret key can be in {1, 2, … 12} ● She can just try 12 possibilities to decrypt messages i 1 2 3 4 5 6 7 8 9 10 11 12 2i 2 4 8 3 6 12 11 9 5 10 7 1 Option 2: ● Eve builds the above table and solves B = g𝑦 mod p ● For example, B = 6 means secret 𝑦 = 5 Other Options?

15. Cryptographers use a very large clock to trick Eve 15 ● Prime p is made of at least 600 digits or so (in 2019) ○ p shall satisfy more properties (not covered here) ● Difficult for Eve to construct the table of all possibilities ● Eve will have to live for several billion years to break it ● Or, she must solve some cool problems (next slide) p-1

16. Some cool problems to solve 16 ● Problem 1: Given B, g, and p, efficiently find y such that B = g𝑦 mod p ● Problem 2: Given g𝑥 mod p and g𝑦 mod p, find g𝑥𝑦 mod p ○ The exponents 𝑥 and 𝑦 are not known to Eve, of course ● Problem 3: Find the prime factors p and q of N such that N = p*q ○ I did not talk about this problem in this presentation ○ See https://www.slideshare.net/dganesan11

17. Let’s give more power to Eve 17 ● Let’s allow Eve to edit DH parameter g ● In particular, Eve will choose g from {1, p, p-1} ● Similarly, let’s allow Eve to edit the public keys A and B of Alice and Bob ● We will show that in all these cases Eve can recover the secret key K

18. 18 Pick a random number 𝑥 Pick a random number 𝑦 Compute A = g𝑥 mod p = 1 Compute B = g𝑦 mod p = 1 Secret K = B𝑥 mod p = 1 Secret K = A𝑦 mod p = 1 Send A = 1 to Bob Send B = 1 to Alice Eve replaced the g by 1 Eve knows the secret key K = 1 Case 1: Eve fixed the generator g = 1

19. 19 ~/crypto$ p=13 ~/crypto$ g=1 ~/crypto$ java -ea Basic_DH $p $g *** Secret Session Key = ****1 ● p = 13 and g=1 ● Eve learns that the secret key must be one

20. 20 Pick a random number 𝑥 Pick a random number 𝑦 Compute A = p𝑥 mod p = 0 Compute B = p𝑦 mod p = 0 Secret K = B𝑥 mod p = 0 Secret K = A𝑦 mod p = 0 Send A = 0 to Bob Send B = 0 to Alice Eve replaced the g by p Eve knows the secret key K = 0 Case 2: Eve fixed the generator g = p

21. 21 ~/crypto$ p=13 ~/crypto$ g=13 ~/crypto$ java -ea Basic_DH $p $g *** Secret Session Key = ****0 ● p = 13 and g=13 ● Eve learns that the secret key must be zero

22. 22 Pick a random number 𝑥 Pick a random number 𝑦 Compute A = (p-1)𝑥 mod p Compute B = (p-1)𝑦 mod p Secret K = B𝑥 mod p = 1 Secret K = A𝑦 mod p = 1 Send A to Bob Send B to Alice Eve replaced the g by p-1 Eve knows the secret key K = 1 or K = p-1 Case 3: Eve fixed the generator g = p-1

23. g = p-1 23 ● Eve replaces g by p-1 ● Alice will compute her public key: A = gx mod p = (p-1)x mod p ● Bob will compute his public key: B = gy mod p = (p-1)y mod p ● Both Alice and Bob will arrive at K = (p-1)xy mod p ● If x (or y) is even, then K = (p-1)xy mod p = 1 ● If x and y are odd, then K = (p-1)xy mod p = (p-1) ● So, Eve learned the secret key K can be either 1 or (p-1)

24. 24 ~/crypto$ p = 13 ~/crypto$ g = 12 ~/crypto$ java -ea Basic_DH $p $g *** Secret Session Key = ****1 ~/crypto$ java -ea Basic_DH $p $g *** Secret Session Key = ****12 ● p = 13 and g=12 ● Eve learns that the secret key must be 1 or p-1

25. 25 Let’s allow Eve to edit public keys A and B only

26. Case 1: What if Eve sets public keys A and B to p? 26 ● Recall that Alice and Bob send their public keys on the public channel ● What if Eve intercepts and modifies the public keys? ● Case 1: For example, Eve replaces the public keys as follows: ○ Eve replaces Alice’s public key A by p ○ Eve also replaces Bob’s public key B by p ● Alice will compute the private key: K = Ax mod p = px mod p = 0 ○ K = 0 because px divides p ○ Similarly, Bob will compute the private key: K = Bx mod p = px mod p = 0 ● Eve knows the secret key K = 0

27. 27 Pick a random number 𝑥 Pick a random number 𝑦 Compute A = g𝑥 mod p Compute B = g𝑦 mod p Secret K = p𝑥 mod p = 0 Secret K = p𝑦 mod p = 0 Send p to Bob Send p to Alice Eve replaced the public keys A and B by p Eve knows the secret key K = 0 Case 1: Eve edits the public keys A and B by p

28. Case 2:What if Eve sets public keys A and B to p-1? 28 ● Eve replaces the public keys A and B to p-1 ● Alice will compute the private key: K = Ax mod p = (p-1)x mod p ● If the unknown x is even, then K = (p-1)x mod p = 1 ● If the unknown x is odd, then K = (p-1)x mod p = (p-1)x-1 (p-1) mod p = (p-1) ● So, Eve learned the secret key K can be either 1 or (p-1)

29. 29 Pick a random number 𝑥 Pick a random number 𝑦 Compute A = g𝑥 mod p Compute B = g𝑦 mod p Secret K = (p-1)𝑥 mod p Secret K = (p-1)𝑦 mod p Send (p-1) to Bob Send (p-1) to Alice Eve replaced the public keys A and B by p-1 Eve knows the secret key K =1 or (p-1) Case 2: Eve edits the public keys A and B by p-1

30. 30 ~/crypto$ echo $p 13 ~/crypto$ echo $g 2 ~/crypto$ echo $MiTm true ~/crypto$ java -ea Basic_DH $p $g $MiTm *** Secret Session Key = ****12 ~/crypto$ java -ea Basic_DH $p $g $MiTm *** Secret Session Key = ****1 ~/crypto$ java -ea Basic_DH $p $g $MiTm Exception in thread "main" java.lang.AssertionError at Basic_DH.main(Basic_DH.java:70) ● p = 13 and g=2 ● Eve learns that the secret key can be either 1 or 12 only ● However, Alice and Bob may notice that something is wrong because the shared secret key may be different ● For example, Alice’s K = 1 and Bob’s K = 12 ● My demo program throws an exception if Alice and Bob have different secret keys

31. Conclusion 31 ● If we allow Eve to edit g, then she can fix the secret key! ● Usually, in practice, the value of g and p are hard-coded ● Nevertheless, it is interesting to see what Eve can do if we allow her to edit g ● Demo shows that by editing the public keys, the secret key is exposed ● DH key exchange algorithm should not be used without digital signature ● Otherwise, man-in-the-middle can alter DH parameters and public keys ● These active attacks were part of Crypto exercise problems ○ (e.g., Textbooks and online cryptopal challenge set 5)

32. Appendix - Proof of concept (not for production use) 32

33. 33 public class Basic_DH { private BigInteger p = BigInteger.valueOf(2); private BigInteger g = BigInteger.valueOf(2); public Basic_DH(BigInteger p, BigInteger g) { this.p = p; this.g = g; } private Basic_DH(){} public BigInteger generatePublicKey(BigInteger privKey) { return g.modPow(privKey, p); } public BigInteger generatePrivKey() { while(true) { BigInteger privKey = new BigInteger(p.bitLength(), new SecureRandom()); if(privKey.compareTo(p) < 0) return privKey; } } public BigInteger generateSessionKey(BigInteger pubKey, BigInteger privKey) { return pubKey.modPow(privKey, p); } }

34. 34 BigInteger p = new BigInteger(args[0]); BigInteger g = new BigInteger(args[1]); if(args.length > 2) { MitM_Param_Injection = Boolean.parseBoolean(args[2]); } Basic_DH dh = new Basic_DH(p, g); BigInteger x = dh.generatePrivKey(); BigInteger A = dh.generatePublicKey(x); BigInteger y = dh.generatePrivKey(); BigInteger B = dh.generatePublicKey(y); if(MitM_Param_Injection) { B = p.subtract(BigInteger.ONE); A = p.subtract(BigInteger.ONE); } BigInteger alice_sk = dh.generateSessionKey(B, x); BigInteger bob_sk = dh.generateSessionKey(A, y); assert alice_sk.equals(bob_sk); System.out.println("*** Secret Session Key = ****" + alice_sk);

Active Attacks on DH Key Exchange

Dharmalingam Ganesan

Active Attacks on DH Key Exchange