We allow Eve to modify DH parameters as well as public keys of Alice and Bob. This allows Eve to derive the secret key and break the DH crypto system. We demonstrate that the DH key exchange algorithm should not be used without digital signatures.
2. Table of Contents
● Objectives of the presentation
● Cryptography problem - Secret Key Exchange
● Cryptanalysis - How to break the crypto system
● Open problems
● Conclusion
2
3. Objectives
● Demonstrate how the basic Diffie-Hellman (DH) key exchange works
● Demonstrate how an active attacker can edit DH parameters
● Demonstrate how the man-in-the-middle obtains the shared secret key
○ when DH is used without digital signature
3
4. Alice Encrypts - Eve sees gibberish - Bob Decrypts
4
Hello Bob
Encryption
Algorithm
(open to all)
Secret
key K
01534236
Secret
Key K
Decryption
Algorithm
(open to all)
Hello Bob
Note: The same secret key K is used by
encryption and decryption algorithms
Kerckhoff’s principle: The enemy (Eve) knows the encryption and decryption algorithms, but not the key
5. Problem: sender and receiver need the same key
5
Key K Key K
● Alice and Bob are too far away
from each other
● They never met each other
● They cannot exchange the secret
key publicly (Eve is listening)
● How can they arrive at the same
secret key K?
6. 6
We have been (unknowingly) using the mod notation
Let’s go to bed @ 21 hour
21 ≡ 9 (mod 12)
Note: When 21 is divided by 12, 9 is the remainder
What is 5*8 on this clock?
5*8 = 40 ≡ 4 (mod 12) Gauss developed the theory of
modular arithmetic
7. 7
Cryptographers love mod and primes
Cryptographers view this clock as follows:
Z*
13
= {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12}
They use mod 13, which is a prime number
Z*
p
= {1, 2, 3, …, p-1}
i 1 2 3 4 5 6 7 8 9 10 11 12
2i
2 4 8 3 6 12 11 9 5 10 7 1
For example, 24
≡ 3 (mod 13) 2 is a generator of this clock because it generates all hours from 1..12
8. Why cryptographers use mod and one-way functions?
8
● In a clock, patterns are not that obvious to detect for Eve
● For example, 26
is greater than 27
in mod 13
● Some problems are difficult to answer (without seeing the below table)
● For example, 2i
≡ 11 (mod 13), can you quickly find the i?
i 1 2 3 4 5 6 7 8 9 10 11 12
2i
2 4 8 3 6 12 11 9 5 10 7 1
E
a
s
y
H
a
r
d
Cryptographers use one-way functions: Easy in one direction, but hard the other
9. Power rule of exponents
(23
)4
= (23
)(23
)(23
)(23
) = 212
(24
)3
= (24
)(24
)(24
) = 212
So, (23
)4
= (24
)3
In general, (g𝑥
)𝑦
= (g 𝑦
)𝑥
= (g 𝑥𝑦
) [Proof: Exercise]
9
10. Diffie-Hellman Key Exchange Algorithm
● In 1970s, they solved the problem of key exchange!
○ Using an one-way function (easy to compute, hard to reverse)
● Alice and Bob arrive at a shared secret key k
○ Using the power rule of exponents (no courier service)
● Eavesdropper Eve cannot easily derive the secret key k
○ Takes billions of years to solve by computers (at this time of writing)
● Diffie, W., and Hellman, M. New directions in cryptography
○ IEEE Trans. Inform. Theory IT-22, 6 (Nov. 1976), 644-654
10
Prof. Hellman (H) Diffie (D)
11. 11
Double the hours 5 times (i.e., 25
mod 13) Double the hours 4 times (i.e., 24
mod 13)
Send the clock to Bob Send the clock to Alice
Key Exchange - Visual Demo
Triple the hours 5 times (i.e., 35
mod 13) Sixfold the hours 4 times (i.e., 64
mod 13)
Both Alice and Bob arrive at the same key (9)
Note: 5 and 4 are secrets
12. 12
Pick a random number 𝑥 Pick a random number 𝑦
Compute A = g𝑥
mod p Compute B = g𝑦
mod p
Secret K = B𝑥
mod p Secret K = A𝑦
mod p
Send A to Bob Send B to Alice
Both Alice and Bob have
the same secret key
Eve sees A and B,
but not 𝑥, 𝑦, or K
Key Exchange Algorithm - Core Idea
(assume that g and p are public)
13. 13
Pick a random number 𝑥 = 5 Pick a random number 𝑦 = 4
Compute A = 25
mod 13 Compute B = 24
mod 13
Secret K = 35
mod 13 = 9 Secret K = 64
mod 13 = 9
Send A = 6 to Bob Send B = 3 to Alice
Both Alice and Bob
have the secret key 9
DH Key Exchange - Example (g=2, p=13)
14. 14
How can Eve recover the secret key K?
Option 1:
● Eve knows that the secret key can be in {1, 2, … 12}
● She can just try 12 possibilities to decrypt messages
i 1 2 3 4 5 6 7 8 9 10 11 12
2i
2 4 8 3 6 12 11 9 5 10 7 1
Option 2:
● Eve builds the above table and solves B = g𝑦
mod p
● For example, B = 6 means secret 𝑦 = 5
Other Options?
15. Cryptographers use a very large clock to trick Eve
15
● Prime p is made of at least 600 digits or so (in 2019)
○ p shall satisfy more properties (not covered here)
● Difficult for Eve to construct the table of all possibilities
● Eve will have to live for several billion years to break it
● Or, she must solve some cool problems (next slide)
p-1
16. Some cool problems to solve
16
● Problem 1: Given B, g, and p, efficiently find y such that B = g𝑦
mod p
● Problem 2: Given g𝑥
mod p and g𝑦
mod p, find g𝑥𝑦
mod p
○ The exponents 𝑥 and 𝑦 are not known to Eve, of course
● Problem 3: Find the prime factors p and q of N such that N = p*q
○ I did not talk about this problem in this presentation
○ See https://www.slideshare.net/dganesan11
17. Let’s give more power to Eve
17
● Let’s allow Eve to edit DH parameter g
● In particular, Eve will choose g from {1, p, p-1}
● Similarly, let’s allow Eve to edit the public keys A and B of Alice and Bob
● We will show that in all these cases Eve can recover the secret key K
18. 18
Pick a random number 𝑥 Pick a random number 𝑦
Compute A = g𝑥
mod p = 1 Compute B = g𝑦
mod p = 1
Secret K = B𝑥
mod p = 1 Secret K = A𝑦
mod p = 1
Send A = 1 to Bob Send B = 1 to Alice
Eve replaced the g by 1 Eve knows the
secret key K = 1
Case 1: Eve fixed the generator g = 1
20. 20
Pick a random number 𝑥 Pick a random number 𝑦
Compute A = p𝑥
mod p = 0 Compute B = p𝑦
mod p = 0
Secret K = B𝑥
mod p = 0 Secret K = A𝑦
mod p = 0
Send A = 0 to Bob Send B = 0 to Alice
Eve replaced the g by p Eve knows the
secret key K = 0
Case 2: Eve fixed the generator g = p
22. 22
Pick a random number 𝑥 Pick a random number 𝑦
Compute A = (p-1)𝑥
mod p Compute B = (p-1)𝑦
mod p
Secret K = B𝑥
mod p = 1 Secret K = A𝑦
mod p = 1
Send A to Bob Send B to Alice
Eve replaced the g by p-1 Eve knows the secret
key K = 1 or K = p-1
Case 3: Eve fixed the generator g = p-1
23. g = p-1
23
● Eve replaces g by p-1
● Alice will compute her public key: A = gx
mod p = (p-1)x
mod p
● Bob will compute his public key: B = gy
mod p = (p-1)y
mod p
● Both Alice and Bob will arrive at K = (p-1)xy
mod p
● If x (or y) is even, then K = (p-1)xy
mod p = 1
● If x and y are odd, then K = (p-1)xy
mod p = (p-1)
● So, Eve learned the secret key K can be either 1 or (p-1)
24. 24
~/crypto$ p = 13
~/crypto$ g = 12
~/crypto$ java -ea Basic_DH $p $g
*** Secret Session Key = ****1
~/crypto$ java -ea Basic_DH $p $g
*** Secret Session Key = ****12
● p = 13 and g=12
● Eve learns that the secret key must be 1 or p-1
26. Case 1: What if Eve sets public keys A and B to p?
26
● Recall that Alice and Bob send their public keys on the public channel
● What if Eve intercepts and modifies the public keys?
● Case 1: For example, Eve replaces the public keys as follows:
○ Eve replaces Alice’s public key A by p
○ Eve also replaces Bob’s public key B by p
● Alice will compute the private key: K = Ax
mod p = px
mod p = 0
○ K = 0 because px
divides p
○ Similarly, Bob will compute the private key: K = Bx
mod p = px
mod p = 0
● Eve knows the secret key K = 0
27. 27
Pick a random number 𝑥 Pick a random number 𝑦
Compute A = g𝑥
mod p Compute B = g𝑦
mod p
Secret K = p𝑥
mod p = 0 Secret K = p𝑦
mod p = 0
Send p to Bob Send p to Alice
Eve replaced the public
keys A and B by p
Eve knows the
secret key K = 0
Case 1: Eve edits the public keys A and B by p
28. Case 2:What if Eve sets public keys A and B to p-1?
28
● Eve replaces the public keys A and B to p-1
● Alice will compute the private key: K = Ax
mod p = (p-1)x
mod p
● If the unknown x is even, then K = (p-1)x
mod p = 1
● If the unknown x is odd, then K = (p-1)x
mod p = (p-1)x-1
(p-1) mod p = (p-1)
● So, Eve learned the secret key K can be either 1 or (p-1)
29. 29
Pick a random number 𝑥 Pick a random number 𝑦
Compute A = g𝑥
mod p Compute B = g𝑦
mod p
Secret K = (p-1)𝑥
mod p Secret K = (p-1)𝑦
mod p
Send (p-1) to Bob Send (p-1) to Alice
Eve replaced the public
keys A and B by p-1
Eve knows the secret
key K =1 or (p-1)
Case 2: Eve edits the public keys A and B by p-1
30. 30
~/crypto$ echo $p
13
~/crypto$ echo $g
2
~/crypto$ echo $MiTm
true
~/crypto$ java -ea Basic_DH $p $g $MiTm
*** Secret Session Key = ****12
~/crypto$ java -ea Basic_DH $p $g $MiTm
*** Secret Session Key = ****1
~/crypto$ java -ea Basic_DH $p $g $MiTm
Exception in thread "main"
java.lang.AssertionError
at
Basic_DH.main(Basic_DH.java:70)
● p = 13 and g=2
● Eve learns that the secret key can be either 1 or 12 only
● However, Alice and Bob may notice that something is
wrong because the shared secret key may be different
● For example, Alice’s K = 1 and Bob’s K = 12
● My demo program throws an exception if Alice and Bob
have different secret keys
31. Conclusion
31
● If we allow Eve to edit g, then she can fix the secret key!
● Usually, in practice, the value of g and p are hard-coded
● Nevertheless, it is interesting to see what Eve can do if we allow her to edit g
● Demo shows that by editing the public keys, the secret key is exposed
● DH key exchange algorithm should not be used without digital signature
● Otherwise, man-in-the-middle can alter DH parameters and public keys
● These active attacks were part of Crypto exercise problems
○ (e.g., Textbooks and online cryptopal challenge set 5)