Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Active Attacks on DH Key Exchange

254 views

Published on

We allow Eve to modify DH parameters as well as public keys of Alice and Bob. This allows Eve to derive the secret key and break the DH crypto system. We demonstrate that the DH key exchange algorithm should not be used without digital signatures.

Published in: Technology
  • Login to see the comments

  • Be the first to like this

Active Attacks on DH Key Exchange

  1. 1. Active Attacks on DH Key Exchange Dr. Dharma Ganesan, Ph.D.,
  2. 2. Table of Contents ● Objectives of the presentation ● Cryptography problem - Secret Key Exchange ● Cryptanalysis - How to break the crypto system ● Open problems ● Conclusion 2
  3. 3. Objectives ● Demonstrate how the basic Diffie-Hellman (DH) key exchange works ● Demonstrate how an active attacker can edit DH parameters ● Demonstrate how the man-in-the-middle obtains the shared secret key ○ when DH is used without digital signature 3
  4. 4. Alice Encrypts - Eve sees gibberish - Bob Decrypts 4 Hello Bob Encryption Algorithm (open to all) Secret key K 01534236 Secret Key K Decryption Algorithm (open to all) Hello Bob Note: The same secret key K is used by encryption and decryption algorithms Kerckhoff’s principle: The enemy (Eve) knows the encryption and decryption algorithms, but not the key
  5. 5. Problem: sender and receiver need the same key 5 Key K Key K ● Alice and Bob are too far away from each other ● They never met each other ● They cannot exchange the secret key publicly (Eve is listening) ● How can they arrive at the same secret key K?
  6. 6. 6 We have been (unknowingly) using the mod notation Let’s go to bed @ 21 hour 21 ≡ 9 (mod 12) Note: When 21 is divided by 12, 9 is the remainder What is 5*8 on this clock? 5*8 = 40 ≡ 4 (mod 12) Gauss developed the theory of modular arithmetic
  7. 7. 7 Cryptographers love mod and primes Cryptographers view this clock as follows: Z* 13 = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12} They use mod 13, which is a prime number Z* p = {1, 2, 3, …, p-1} i 1 2 3 4 5 6 7 8 9 10 11 12 2i 2 4 8 3 6 12 11 9 5 10 7 1 For example, 24 ≡ 3 (mod 13) 2 is a generator of this clock because it generates all hours from 1..12
  8. 8. Why cryptographers use mod and one-way functions? 8 ● In a clock, patterns are not that obvious to detect for Eve ● For example, 26 is greater than 27 in mod 13 ● Some problems are difficult to answer (without seeing the below table) ● For example, 2i ≡ 11 (mod 13), can you quickly find the i? i 1 2 3 4 5 6 7 8 9 10 11 12 2i 2 4 8 3 6 12 11 9 5 10 7 1 E a s y H a r d Cryptographers use one-way functions: Easy in one direction, but hard the other
  9. 9. Power rule of exponents (23 )4 = (23 )(23 )(23 )(23 ) = 212 (24 )3 = (24 )(24 )(24 ) = 212 So, (23 )4 = (24 )3 In general, (g𝑥 )𝑦 = (g 𝑦 )𝑥 = (g 𝑥𝑦 ) [Proof: Exercise] 9
  10. 10. Diffie-Hellman Key Exchange Algorithm ● In 1970s, they solved the problem of key exchange! ○ Using an one-way function (easy to compute, hard to reverse) ● Alice and Bob arrive at a shared secret key k ○ Using the power rule of exponents (no courier service) ● Eavesdropper Eve cannot easily derive the secret key k ○ Takes billions of years to solve by computers (at this time of writing) ● Diffie, W., and Hellman, M. New directions in cryptography ○ IEEE Trans. Inform. Theory IT-22, 6 (Nov. 1976), 644-654 10 Prof. Hellman (H) Diffie (D)
  11. 11. 11 Double the hours 5 times (i.e., 25 mod 13) Double the hours 4 times (i.e., 24 mod 13) Send the clock to Bob Send the clock to Alice Key Exchange - Visual Demo Triple the hours 5 times (i.e., 35 mod 13) Sixfold the hours 4 times (i.e., 64 mod 13) Both Alice and Bob arrive at the same key (9) Note: 5 and 4 are secrets
  12. 12. 12 Pick a random number 𝑥 Pick a random number 𝑦 Compute A = g𝑥 mod p Compute B = g𝑦 mod p Secret K = B𝑥 mod p Secret K = A𝑦 mod p Send A to Bob Send B to Alice Both Alice and Bob have the same secret key Eve sees A and B, but not 𝑥, 𝑦, or K Key Exchange Algorithm - Core Idea (assume that g and p are public)
  13. 13. 13 Pick a random number 𝑥 = 5 Pick a random number 𝑦 = 4 Compute A = 25 mod 13 Compute B = 24 mod 13 Secret K = 35 mod 13 = 9 Secret K = 64 mod 13 = 9 Send A = 6 to Bob Send B = 3 to Alice Both Alice and Bob have the secret key 9 DH Key Exchange - Example (g=2, p=13)
  14. 14. 14 How can Eve recover the secret key K? Option 1: ● Eve knows that the secret key can be in {1, 2, … 12} ● She can just try 12 possibilities to decrypt messages i 1 2 3 4 5 6 7 8 9 10 11 12 2i 2 4 8 3 6 12 11 9 5 10 7 1 Option 2: ● Eve builds the above table and solves B = g𝑦 mod p ● For example, B = 6 means secret 𝑦 = 5 Other Options?
  15. 15. Cryptographers use a very large clock to trick Eve 15 ● Prime p is made of at least 600 digits or so (in 2019) ○ p shall satisfy more properties (not covered here) ● Difficult for Eve to construct the table of all possibilities ● Eve will have to live for several billion years to break it ● Or, she must solve some cool problems (next slide) p-1
  16. 16. Some cool problems to solve 16 ● Problem 1: Given B, g, and p, efficiently find y such that B = g𝑦 mod p ● Problem 2: Given g𝑥 mod p and g𝑦 mod p, find g𝑥𝑦 mod p ○ The exponents 𝑥 and 𝑦 are not known to Eve, of course ● Problem 3: Find the prime factors p and q of N such that N = p*q ○ I did not talk about this problem in this presentation ○ See https://www.slideshare.net/dganesan11
  17. 17. Let’s give more power to Eve 17 ● Let’s allow Eve to edit DH parameter g ● In particular, Eve will choose g from {1, p, p-1} ● Similarly, let’s allow Eve to edit the public keys A and B of Alice and Bob ● We will show that in all these cases Eve can recover the secret key K
  18. 18. 18 Pick a random number 𝑥 Pick a random number 𝑦 Compute A = g𝑥 mod p = 1 Compute B = g𝑦 mod p = 1 Secret K = B𝑥 mod p = 1 Secret K = A𝑦 mod p = 1 Send A = 1 to Bob Send B = 1 to Alice Eve replaced the g by 1 Eve knows the secret key K = 1 Case 1: Eve fixed the generator g = 1
  19. 19. 19 ~/crypto$ p=13 ~/crypto$ g=1 ~/crypto$ java -ea Basic_DH $p $g *** Secret Session Key = ****1 ● p = 13 and g=1 ● Eve learns that the secret key must be one
  20. 20. 20 Pick a random number 𝑥 Pick a random number 𝑦 Compute A = p𝑥 mod p = 0 Compute B = p𝑦 mod p = 0 Secret K = B𝑥 mod p = 0 Secret K = A𝑦 mod p = 0 Send A = 0 to Bob Send B = 0 to Alice Eve replaced the g by p Eve knows the secret key K = 0 Case 2: Eve fixed the generator g = p
  21. 21. 21 ~/crypto$ p=13 ~/crypto$ g=13 ~/crypto$ java -ea Basic_DH $p $g *** Secret Session Key = ****0 ● p = 13 and g=13 ● Eve learns that the secret key must be zero
  22. 22. 22 Pick a random number 𝑥 Pick a random number 𝑦 Compute A = (p-1)𝑥 mod p Compute B = (p-1)𝑦 mod p Secret K = B𝑥 mod p = 1 Secret K = A𝑦 mod p = 1 Send A to Bob Send B to Alice Eve replaced the g by p-1 Eve knows the secret key K = 1 or K = p-1 Case 3: Eve fixed the generator g = p-1
  23. 23. g = p-1 23 ● Eve replaces g by p-1 ● Alice will compute her public key: A = gx mod p = (p-1)x mod p ● Bob will compute his public key: B = gy mod p = (p-1)y mod p ● Both Alice and Bob will arrive at K = (p-1)xy mod p ● If x (or y) is even, then K = (p-1)xy mod p = 1 ● If x and y are odd, then K = (p-1)xy mod p = (p-1) ● So, Eve learned the secret key K can be either 1 or (p-1)
  24. 24. 24 ~/crypto$ p = 13 ~/crypto$ g = 12 ~/crypto$ java -ea Basic_DH $p $g *** Secret Session Key = ****1 ~/crypto$ java -ea Basic_DH $p $g *** Secret Session Key = ****12 ● p = 13 and g=12 ● Eve learns that the secret key must be 1 or p-1
  25. 25. 25 Let’s allow Eve to edit public keys A and B only
  26. 26. Case 1: What if Eve sets public keys A and B to p? 26 ● Recall that Alice and Bob send their public keys on the public channel ● What if Eve intercepts and modifies the public keys? ● Case 1: For example, Eve replaces the public keys as follows: ○ Eve replaces Alice’s public key A by p ○ Eve also replaces Bob’s public key B by p ● Alice will compute the private key: K = Ax mod p = px mod p = 0 ○ K = 0 because px divides p ○ Similarly, Bob will compute the private key: K = Bx mod p = px mod p = 0 ● Eve knows the secret key K = 0
  27. 27. 27 Pick a random number 𝑥 Pick a random number 𝑦 Compute A = g𝑥 mod p Compute B = g𝑦 mod p Secret K = p𝑥 mod p = 0 Secret K = p𝑦 mod p = 0 Send p to Bob Send p to Alice Eve replaced the public keys A and B by p Eve knows the secret key K = 0 Case 1: Eve edits the public keys A and B by p
  28. 28. Case 2:What if Eve sets public keys A and B to p-1? 28 ● Eve replaces the public keys A and B to p-1 ● Alice will compute the private key: K = Ax mod p = (p-1)x mod p ● If the unknown x is even, then K = (p-1)x mod p = 1 ● If the unknown x is odd, then K = (p-1)x mod p = (p-1)x-1 (p-1) mod p = (p-1) ● So, Eve learned the secret key K can be either 1 or (p-1)
  29. 29. 29 Pick a random number 𝑥 Pick a random number 𝑦 Compute A = g𝑥 mod p Compute B = g𝑦 mod p Secret K = (p-1)𝑥 mod p Secret K = (p-1)𝑦 mod p Send (p-1) to Bob Send (p-1) to Alice Eve replaced the public keys A and B by p-1 Eve knows the secret key K =1 or (p-1) Case 2: Eve edits the public keys A and B by p-1
  30. 30. 30 ~/crypto$ echo $p 13 ~/crypto$ echo $g 2 ~/crypto$ echo $MiTm true ~/crypto$ java -ea Basic_DH $p $g $MiTm *** Secret Session Key = ****12 ~/crypto$ java -ea Basic_DH $p $g $MiTm *** Secret Session Key = ****1 ~/crypto$ java -ea Basic_DH $p $g $MiTm Exception in thread "main" java.lang.AssertionError at Basic_DH.main(Basic_DH.java:70) ● p = 13 and g=2 ● Eve learns that the secret key can be either 1 or 12 only ● However, Alice and Bob may notice that something is wrong because the shared secret key may be different ● For example, Alice’s K = 1 and Bob’s K = 12 ● My demo program throws an exception if Alice and Bob have different secret keys
  31. 31. Conclusion 31 ● If we allow Eve to edit g, then she can fix the secret key! ● Usually, in practice, the value of g and p are hard-coded ● Nevertheless, it is interesting to see what Eve can do if we allow her to edit g ● Demo shows that by editing the public keys, the secret key is exposed ● DH key exchange algorithm should not be used without digital signature ● Otherwise, man-in-the-middle can alter DH parameters and public keys ● These active attacks were part of Crypto exercise problems ○ (e.g., Textbooks and online cryptopal challenge set 5)
  32. 32. Appendix - Proof of concept (not for production use) 32
  33. 33. 33 public class Basic_DH { private BigInteger p = BigInteger.valueOf(2); private BigInteger g = BigInteger.valueOf(2); public Basic_DH(BigInteger p, BigInteger g) { this.p = p; this.g = g; } private Basic_DH(){} public BigInteger generatePublicKey(BigInteger privKey) { return g.modPow(privKey, p); } public BigInteger generatePrivKey() { while(true) { BigInteger privKey = new BigInteger(p.bitLength(), new SecureRandom()); if(privKey.compareTo(p) < 0) return privKey; } } public BigInteger generateSessionKey(BigInteger pubKey, BigInteger privKey) { return pubKey.modPow(privKey, p); } }
  34. 34. 34 BigInteger p = new BigInteger(args[0]); BigInteger g = new BigInteger(args[1]); if(args.length > 2) { MitM_Param_Injection = Boolean.parseBoolean(args[2]); } Basic_DH dh = new Basic_DH(p, g); BigInteger x = dh.generatePrivKey(); BigInteger A = dh.generatePublicKey(x); BigInteger y = dh.generatePrivKey(); BigInteger B = dh.generatePublicKey(y); if(MitM_Param_Injection) { B = p.subtract(BigInteger.ONE); A = p.subtract(BigInteger.ONE); } BigInteger alice_sk = dh.generateSessionKey(B, x); BigInteger bob_sk = dh.generateSessionKey(A, y); assert alice_sk.equals(bob_sk); System.out.println("*** Secret Session Key = ****" + alice_sk);

×