Download Diffie-Hellman protocol - comp

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
Document related concepts
no text concepts found
Transcript 
Diffie-Hellman (Key
Exchange) Protocol
Rocky K. C. Chang
9 February 2007
1
Outline


Multiplicative group modulo prime
The basic Diffie-Hellman (DH) protocol



Other security problems about the subgroups



The discrete logarithm problem
Man in the middle attack
Using a safe prime
Using a smaller subgroup
An enhanced DH protocol.
Rocky, K. C. Chang
2
Motivation for the DH protocol

Using a secret-key cryptosystem, how many
secret keys are needed for a group of n people to
communicate?



C(n, 2) = n(n–1)/2 = O(n2)
Managing a large number of keys is another problem.
Whitfield Diffie and Martin Hellman asked



Whether this can be done more efficiently by having the
encryption and decryption keys different.
Came up the Diffie-Hellman (DH) protocol, which is a
partial solution.
Agree on a secret key over an insecure channel.
Rocky, K. C. Chang
3
Multiplicative group modulo prime
Assume that p is a large prime (20004000 bits long).
 The DH protocol uses Z*p, the
multiplicative group modulo p.
 Recall that there exists at least a primitive
element in Z*p.



More precisely, there are (p–1) of them.
Each one of them can generate the entire Z*p.
Rocky, K. C. Chang
4
The basic DH protocol

Agree on a large prime p and a primitive element
g in Z*p.


Alice (Bob) chooses a random x (y) in Z*p (1, 2,
…, p–1) and computes gx mod p (gy mod p).



Both p and g are not secrets.
Send the result to Bob (Alice), and the result is not a
secret.
Alice computes the secret key k as (gy mod p)x
mod p = gxy mod p.
Bob computes the secret key k as (gx mod p)y
mod p = gxy mod p.
Rocky, K. C. Chang
5
The basic DH protocol
Alice
Randomly pick x
from Z*p
Bob
gx
gy
k  (gy)x mod p
Rocky, K. C. Chang
Randomly pick y
from Z*p
k  (gx)y mod p
6
The discrete logarithm problem
Given the knowledge of p, g, gx mod p,
and gy mod p, how does an attacker find
gxy mod p?
 The best method known is to solve the
discrete logarithm problem.




Given X = gx mod p, g, and p, find x (x =
loggX).
Analogous to computing logarithm in real
numbers.
With x and gy mod p, one can compute gxy
mod p.
Rocky, K. C. Chang
7
For example,

p = 13 and g = 2 is a primitive element






Given
Given
Given
Given
…
gx
gx
gx
gx
mod
mod
mod
mod
p
p
p
p
=
=
=
=
1,
2,
3,
4,
x
x
x
x
=
=
=
=
0
1
4
2
Solving the discrete logarithm problem



Exhaustive search by computing g1, g2, g3, …, until gx is
found.
Precompute all possible values of gi, and then sort the
list of ordered pairs (i, gi) with respect to the second
component. Perform a binary search for gx.
Many other smart algorithms
Rocky, K. C. Chang
8
Man-in-the-middle attack
The basic DH protocol does not protect
against the man-in-the-middle attack.
 Alice cannot authenticate whether the
other side is Bob, and vice versa.
 Instead, Eve establishes secret keys with
Alice and Bob.



Eve can relay the message so that both sides
are not aware of the attack.
Need authentication mechanisms.
Rocky, K. C. Chang
9
Man-in-the-middle attack
Alice
Randomly pick x
from Z*p
Eve
Bob
gx
Randomly pick v
from Z*p
gv
gy
gw
k  (gw)x mod p
Rocky, K. C. Chang
Randomly pick y
from Z*p
Randomly pick w
from Z*p
k  (gw)x mod p
k'  (gv)y mod p
k'  (gv)y mod p
10
Additional security problems

Problem 1: Eve can intercept gx mod p and
gy mod p, and replace them with 1.


Therefore, k = 1.
Problem 2: g may not be a primitive
element of Z*p.



The order of g (denoted by t) may not be large
enough.
Note that the key is in the set {1, g, g2, …,
gt-1}.
Eve can possibly search through all possible
keys.
Rocky, K. C. Chang
11
Additional security problems

For any divisor of p–1, say d, there is a single
subgroup of size d.



Problem 3: Eve intercepts gx mod p and replaces
it with h, where h has a small order.


E.g., for p–1 = 6, divisors = {1, 2, 3, 6}.
There are a subgroup of size 1 ({1}), a subgroup of size
2 ({1,6}), a subgroup of size 3 ({1, 2, 4}), and a
subgroup of size 6.
Since k = hy mod p, the number of possible keys may
not be large enough.
If p is a large prime, then p–1 is always even.


Therefore, there is a subgroup of size 2: {1, p–1}.
Use a safe prime to avoid small subgroups other than
the one with size 2, which always present.
Rocky, K. C. Chang
12
A safe prime approach
A safe prime is a large enough prime p =
2q + 1, where q is also a prime.
 Now, Z*p for such a safe prime has the
following subgroups.





{1}
{1, p–1}
A subgroup of size q
A subgroup of size 2q (the full group)
The first 2 subgroups are easy to avoid.
 The full group has one more problem.

Rocky, K. C. Chang
13
A safe prime approach


Consider the set of numbers in Z*p that can be written as a
square of another number in Z*p.
For example, p = 7









12
22
32
42
52
62
mod
mod
mod
mod
mod
mod
7
7
7
7
7
7
=
=
=
=
=
=
1
4
2
2
4
1
{1, 2, 4} is a set of squares for p = 7.
Exactly half the numbers in 1, …, p–1 are squares.
Any generator of the entire group is a nonsquare (why?).
Rocky, K. C. Chang
14
A safe prime approach group
The Legendre symbol can determine
whether a number modulo p is a square or
not.
 Assume g is a nonsquare and Alice sends
out gx to Bob.
 Given that Eve can determine whether g
and gx are squares, what can Eve know?




If gx is a square, then x is even.
If gx is a nonsquare, then x is odd.
That is, Eve knows about the last bit of x.
Rocky, K. C. Chang
15
A safe-prime approach

The solution is to use the subgroup of size q,
which contains the set of squares.



A square will only generate a square.
For p = 7, we use the subgroup {1, 2, 4}.
To sum up:



Choose (p, q) such that p = 2q + 1, and both p and q
are prime.
Choose a random number  in the range [2, p–2] and
set g = 2 mod p.
Make sure g  1 and g  p–1.
Rocky, K. C. Chang
16
Enhancing the DH protocol


Decide on (p, q, g) according to the algorithm
described on the last slide.
When Bob receives gx mod p from Alice, he can
check whether the value is indeed from the
subgroup consisting of squares.



Use the Legendre symbol function, or
Use: A number r is a square if and only if rq  1 (mod p)
and r  1. Also avoid r = 1.
E.g., p = 2  3 + 1 (q = 3)


2 is a square because 23 = 1 mod 7.
4 is a square because 43 = 1 mod 7.
Rocky, K. C. Chang
17
A smaller-subgroup approach

The main disadvantage with the safe-prime
approach is the computational workload.



If p is n-bit long, then q is (n–1)-bit long.
All exponents are n–1 bits long.
Another approach is to use a smaller subgroup.


Choose q as a 256-bit prime (2255 < q < 2256).
Find a much larger prime p = N  q + 1, where N is
randomly chosen in some range.


N must be even: increase from 2 to a much larger even
number
Check whether p is prime.
Rocky, K. C. Chang
18
Enhancing the DH protocol

Find an element of order q:



Choose a random number  in the range [2, p–
2] and set g = N mod p.
Make sure that g  1 and gq  1 (mod p).
Same as the last approach, Bob and Alice
must check whether the received value
comes from the subgroup generated by g.

rq  1 (mod p) and 1 < r < p (including r  1).
Rocky, K. C. Chang
19
The final DH protocol

Based on the second approach , both Alice and
Bob check on (p, q, g):






Both p and q are prime.
q is 256 bits and p is sufficiently large (at least 2048
bits).
q is divisor of p – 1 (p = N  q + 1).
Choose a random number  in the range [2, p–2] and
set g = N mod p.
g  1 and gq  1 (mod p).
Verify that the number received from the other
side indeed comes from the subgroup:

rq  1 (mod p) and 1 < r < p.
Rocky, K. C. Chang
20
The final DH protocol
Alice
Bob
Check (p, q, g)
Check (p, q, g)
Randomly pick x
from {1, …, q-1}.
X = gx
Check 1 < X < p
and Xq = 1
Y = gy
Randomly pick y
from {1, …, q-1}.
Check 1 < Y < p
and Yq = 1
k  Yx mod p
Rocky, K. C. Chang
k  Xy mod p
21
Summary

The DH protocol is based on the difficulty of
solving the discrete logarithm problem.



However, with a trapdoor (x or y), the computation of
the key becomes very easy.
There are other public-key cryptosystems based on the
discrete logarithm problem, such as the ElGamal
algorithm and Elliptic Curves.
We will revisit the DH protocol in the Internet Key
Exchange protocol.


Cookies for denial-of-service attacks
Authentication schemes for the man-in-the-middle
attack.
Rocky, K. C. Chang
22
Acknowledgments

The notes are prepared mostly based on


N. Ferguson and B. Schneier, Practical
Cryptography, Wiley, 2003.
D. Stinson, Cryptography: Theory and Practice,
Chapman & Hall/CRC, Second Edition, 2002.
Rocky, K. C. Chang
23
Related documents
Here - UMD MATH
Here - UMD MATH
REVIEW SENTENCE, FRAGMENT, RUN
REVIEW SENTENCE, FRAGMENT, RUN
(1) Find all prime numbers smaller than 100. (2) Give a proof by
(1) Find all prime numbers smaller than 100. (2) Give a proof by
Name: Math 111 - Midterm 1 Review Problems
Name: Math 111 - Midterm 1 Review Problems
TEST #2 Directions: Solve five of the following eight problems: three
TEST #2 Directions: Solve five of the following eight problems: three
MAS144 – Computational Mathematics and Statistics A (Statistics)
MAS144 – Computational Mathematics and Statistics A (Statistics)
SOLUTIONS TO THE SECOND PROBLEM SHEET FOR
SOLUTIONS TO THE SECOND PROBLEM SHEET FOR
Homework 3
Homework 3
Determine the number of odd binomial coefficients in the expansion
Determine the number of odd binomial coefficients in the expansion
Evening Homework Problems - University of Nebraska–Lincoln
Evening Homework Problems - University of Nebraska–Lincoln
Research in Mathematics - National Institute of Education
Research in Mathematics - National Institute of Education
Solving Linear Congruence
Solving Linear Congruence