SlideShare a Scribd company logo
Active Attacks on DH Key Exchange
Dr. Dharma Ganesan, Ph.D.,
Table of Contents
● Objectives of the presentation
● Cryptography problem - Secret Key Exchange
● Cryptanalysis - How to break the crypto system
● Open problems
● Conclusion
2
Objectives
● Demonstrate how the basic Diffie-Hellman (DH) key exchange works
● Demonstrate how an active attacker can edit DH parameters
● Demonstrate how the man-in-the-middle obtains the shared secret key
○ when DH is used without digital signature
3
Alice Encrypts - Eve sees gibberish - Bob Decrypts
4
Hello Bob
Encryption
Algorithm
(open to all)
Secret
key K
01534236
Secret
Key K
Decryption
Algorithm
(open to all)
Hello Bob
Note: The same secret key K is used by
encryption and decryption algorithms
Kerckhoff’s principle: The enemy (Eve) knows the encryption and decryption algorithms, but not the key
Problem: sender and receiver need the same key
5
Key K Key K
● Alice and Bob are too far away
from each other
● They never met each other
● They cannot exchange the secret
key publicly (Eve is listening)
● How can they arrive at the same
secret key K?
6
We have been (unknowingly) using the mod notation
Let’s go to bed @ 21 hour
21 ≡ 9 (mod 12)
Note: When 21 is divided by 12, 9 is the remainder
What is 5*8 on this clock?
5*8 = 40 ≡ 4 (mod 12) Gauss developed the theory of
modular arithmetic
7
Cryptographers love mod and primes
Cryptographers view this clock as follows:
Z*
13
= {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12}
They use mod 13, which is a prime number
Z*
p
= {1, 2, 3, …, p-1}
i 1 2 3 4 5 6 7 8 9 10 11 12
2i
2 4 8 3 6 12 11 9 5 10 7 1
For example, 24
≡ 3 (mod 13) 2 is a generator of this clock because it generates all hours from 1..12
Why cryptographers use mod and one-way functions?
8
● In a clock, patterns are not that obvious to detect for Eve
● For example, 26
is greater than 27
in mod 13
● Some problems are difficult to answer (without seeing the below table)
● For example, 2i
≡ 11 (mod 13), can you quickly find the i?
i 1 2 3 4 5 6 7 8 9 10 11 12
2i
2 4 8 3 6 12 11 9 5 10 7 1
E
a
s
y
H
a
r
d
Cryptographers use one-way functions: Easy in one direction, but hard the other
Power rule of exponents
(23
)4
= (23
)(23
)(23
)(23
) = 212
(24
)3
= (24
)(24
)(24
) = 212
So, (23
)4
= (24
)3
In general, (g𝑥
)𝑦
= (g 𝑦
)𝑥
= (g 𝑥𝑦
) [Proof: Exercise]
9
Diffie-Hellman Key Exchange Algorithm
● In 1970s, they solved the problem of key exchange!
○ Using an one-way function (easy to compute, hard to reverse)
● Alice and Bob arrive at a shared secret key k
○ Using the power rule of exponents (no courier service)
● Eavesdropper Eve cannot easily derive the secret key k
○ Takes billions of years to solve by computers (at this time of writing)
● Diffie, W., and Hellman, M. New directions in cryptography
○ IEEE Trans. Inform. Theory IT-22, 6 (Nov. 1976), 644-654
10
Prof. Hellman (H) Diffie (D)
11
Double the hours 5 times (i.e., 25
mod 13) Double the hours 4 times (i.e., 24
mod 13)
Send the clock to Bob Send the clock to Alice
Key Exchange - Visual Demo
Triple the hours 5 times (i.e., 35
mod 13) Sixfold the hours 4 times (i.e., 64
mod 13)
Both Alice and Bob arrive at the same key (9)
Note: 5 and 4 are secrets
12
Pick a random number 𝑥 Pick a random number 𝑦
Compute A = g𝑥
mod p Compute B = g𝑦
mod p
Secret K = B𝑥
mod p Secret K = A𝑦
mod p
Send A to Bob Send B to Alice
Both Alice and Bob have
the same secret key
Eve sees A and B,
but not 𝑥, 𝑦, or K
Key Exchange Algorithm - Core Idea
(assume that g and p are public)
13
Pick a random number 𝑥 = 5 Pick a random number 𝑦 = 4
Compute A = 25
mod 13 Compute B = 24
mod 13
Secret K = 35
mod 13 = 9 Secret K = 64
mod 13 = 9
Send A = 6 to Bob Send B = 3 to Alice
Both Alice and Bob
have the secret key 9
DH Key Exchange - Example (g=2, p=13)
14
How can Eve recover the secret key K?
Option 1:
● Eve knows that the secret key can be in {1, 2, … 12}
● She can just try 12 possibilities to decrypt messages
i 1 2 3 4 5 6 7 8 9 10 11 12
2i
2 4 8 3 6 12 11 9 5 10 7 1
Option 2:
● Eve builds the above table and solves B = g𝑦
mod p
● For example, B = 6 means secret 𝑦 = 5
Other Options?
Cryptographers use a very large clock to trick Eve
15
● Prime p is made of at least 600 digits or so (in 2019)
○ p shall satisfy more properties (not covered here)
● Difficult for Eve to construct the table of all possibilities
● Eve will have to live for several billion years to break it
● Or, she must solve some cool problems (next slide)
p-1
Some cool problems to solve
16
● Problem 1: Given B, g, and p, efficiently find y such that B = g𝑦
mod p
● Problem 2: Given g𝑥
mod p and g𝑦
mod p, find g𝑥𝑦
mod p
○ The exponents 𝑥 and 𝑦 are not known to Eve, of course
● Problem 3: Find the prime factors p and q of N such that N = p*q
○ I did not talk about this problem in this presentation
○ See https://www.slideshare.net/dganesan11
Let’s give more power to Eve
17
● Let’s allow Eve to edit DH parameter g
● In particular, Eve will choose g from {1, p, p-1}
● Similarly, let’s allow Eve to edit the public keys A and B of Alice and Bob
● We will show that in all these cases Eve can recover the secret key K
18
Pick a random number 𝑥 Pick a random number 𝑦
Compute A = g𝑥
mod p = 1 Compute B = g𝑦
mod p = 1
Secret K = B𝑥
mod p = 1 Secret K = A𝑦
mod p = 1
Send A = 1 to Bob Send B = 1 to Alice
Eve replaced the g by 1 Eve knows the
secret key K = 1
Case 1: Eve fixed the generator g = 1
19
~/crypto$ p=13
~/crypto$ g=1
~/crypto$ java -ea Basic_DH $p $g
*** Secret Session Key = ****1
● p = 13 and g=1
● Eve learns that the secret key must be one
20
Pick a random number 𝑥 Pick a random number 𝑦
Compute A = p𝑥
mod p = 0 Compute B = p𝑦
mod p = 0
Secret K = B𝑥
mod p = 0 Secret K = A𝑦
mod p = 0
Send A = 0 to Bob Send B = 0 to Alice
Eve replaced the g by p Eve knows the
secret key K = 0
Case 2: Eve fixed the generator g = p
21
~/crypto$ p=13
~/crypto$ g=13
~/crypto$ java -ea Basic_DH $p $g
*** Secret Session Key = ****0
● p = 13 and g=13
● Eve learns that the secret key must be zero
22
Pick a random number 𝑥 Pick a random number 𝑦
Compute A = (p-1)𝑥
mod p Compute B = (p-1)𝑦
mod p
Secret K = B𝑥
mod p = 1 Secret K = A𝑦
mod p = 1
Send A to Bob Send B to Alice
Eve replaced the g by p-1 Eve knows the secret
key K = 1 or K = p-1
Case 3: Eve fixed the generator g = p-1
g = p-1
23
● Eve replaces g by p-1
● Alice will compute her public key: A = gx
mod p = (p-1)x
mod p
● Bob will compute his public key: B = gy
mod p = (p-1)y
mod p
● Both Alice and Bob will arrive at K = (p-1)xy
mod p
● If x (or y) is even, then K = (p-1)xy
mod p = 1
● If x and y are odd, then K = (p-1)xy
mod p = (p-1)
● So, Eve learned the secret key K can be either 1 or (p-1)
24
~/crypto$ p = 13
~/crypto$ g = 12
~/crypto$ java -ea Basic_DH $p $g
*** Secret Session Key = ****1
~/crypto$ java -ea Basic_DH $p $g
*** Secret Session Key = ****12
● p = 13 and g=12
● Eve learns that the secret key must be 1 or p-1
25
Let’s allow Eve to edit public keys A and B only
Case 1: What if Eve sets public keys A and B to p?
26
● Recall that Alice and Bob send their public keys on the public channel
● What if Eve intercepts and modifies the public keys?
● Case 1: For example, Eve replaces the public keys as follows:
○ Eve replaces Alice’s public key A by p
○ Eve also replaces Bob’s public key B by p
● Alice will compute the private key: K = Ax
mod p = px
mod p = 0
○ K = 0 because px
divides p
○ Similarly, Bob will compute the private key: K = Bx
mod p = px
mod p = 0
● Eve knows the secret key K = 0
27
Pick a random number 𝑥 Pick a random number 𝑦
Compute A = g𝑥
mod p Compute B = g𝑦
mod p
Secret K = p𝑥
mod p = 0 Secret K = p𝑦
mod p = 0
Send p to Bob Send p to Alice
Eve replaced the public
keys A and B by p
Eve knows the
secret key K = 0
Case 1: Eve edits the public keys A and B by p
Case 2:What if Eve sets public keys A and B to p-1?
28
● Eve replaces the public keys A and B to p-1
● Alice will compute the private key: K = Ax
mod p = (p-1)x
mod p
● If the unknown x is even, then K = (p-1)x
mod p = 1
● If the unknown x is odd, then K = (p-1)x
mod p = (p-1)x-1
(p-1) mod p = (p-1)
● So, Eve learned the secret key K can be either 1 or (p-1)
29
Pick a random number 𝑥 Pick a random number 𝑦
Compute A = g𝑥
mod p Compute B = g𝑦
mod p
Secret K = (p-1)𝑥
mod p Secret K = (p-1)𝑦
mod p
Send (p-1) to Bob Send (p-1) to Alice
Eve replaced the public
keys A and B by p-1
Eve knows the secret
key K =1 or (p-1)
Case 2: Eve edits the public keys A and B by p-1
30
~/crypto$ echo $p
13
~/crypto$ echo $g
2
~/crypto$ echo $MiTm
true
~/crypto$ java -ea Basic_DH $p $g $MiTm
*** Secret Session Key = ****12
~/crypto$ java -ea Basic_DH $p $g $MiTm
*** Secret Session Key = ****1
~/crypto$ java -ea Basic_DH $p $g $MiTm
Exception in thread "main"
java.lang.AssertionError
at
Basic_DH.main(Basic_DH.java:70)
● p = 13 and g=2
● Eve learns that the secret key can be either 1 or 12 only
● However, Alice and Bob may notice that something is
wrong because the shared secret key may be different
● For example, Alice’s K = 1 and Bob’s K = 12
● My demo program throws an exception if Alice and Bob
have different secret keys
Conclusion
31
● If we allow Eve to edit g, then she can fix the secret key!
● Usually, in practice, the value of g and p are hard-coded
● Nevertheless, it is interesting to see what Eve can do if we allow her to edit g
● Demo shows that by editing the public keys, the secret key is exposed
● DH key exchange algorithm should not be used without digital signature
● Otherwise, man-in-the-middle can alter DH parameters and public keys
● These active attacks were part of Crypto exercise problems
○ (e.g., Textbooks and online cryptopal challenge set 5)
Appendix - Proof of concept (not for production use)
32
33
public class Basic_DH {
private BigInteger p = BigInteger.valueOf(2);
private BigInteger g = BigInteger.valueOf(2);
public Basic_DH(BigInteger p, BigInteger g) {
this.p = p;
this.g = g;
}
private Basic_DH(){}
public BigInteger generatePublicKey(BigInteger privKey) {
return g.modPow(privKey, p);
}
public BigInteger generatePrivKey() {
while(true) {
BigInteger privKey = new BigInteger(p.bitLength(), new SecureRandom());
if(privKey.compareTo(p) < 0) return privKey;
}
}
public BigInteger generateSessionKey(BigInteger pubKey, BigInteger privKey) {
return pubKey.modPow(privKey, p);
}
}
34
BigInteger p = new BigInteger(args[0]);
BigInteger g = new BigInteger(args[1]);
if(args.length > 2) {
MitM_Param_Injection = Boolean.parseBoolean(args[2]);
}
Basic_DH dh = new Basic_DH(p, g);
BigInteger x = dh.generatePrivKey();
BigInteger A = dh.generatePublicKey(x);
BigInteger y = dh.generatePrivKey();
BigInteger B = dh.generatePublicKey(y);
if(MitM_Param_Injection) {
B = p.subtract(BigInteger.ONE);
A = p.subtract(BigInteger.ONE);
}
BigInteger alice_sk = dh.generateSessionKey(B, x);
BigInteger bob_sk = dh.generateSessionKey(A, y);
assert alice_sk.equals(bob_sk);
System.out.println("*** Secret Session Key = ****" + alice_sk);

More Related Content

What's hot

Analysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dAnalysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dDharmalingam Ganesan
 
Solutions to online rsa factoring challenges
Solutions to online rsa factoring challengesSolutions to online rsa factoring challenges
Solutions to online rsa factoring challengesDharmalingam Ganesan
 
Cyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionCyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionDharmalingam Ganesan
 
RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2Fahad Layth
 
Data Security Using Elliptic Curve Cryptography
Data Security Using Elliptic Curve CryptographyData Security Using Elliptic Curve Cryptography
Data Security Using Elliptic Curve CryptographyIJCERT
 
Spreading Rumors Quietly and the Subgroup Escape Problem
Spreading Rumors Quietly and the Subgroup Escape ProblemSpreading Rumors Quietly and the Subgroup Escape Problem
Spreading Rumors Quietly and the Subgroup Escape ProblemAleksandr Yampolskiy
 
Crypto cs36 39
Crypto cs36 39Crypto cs36 39
Crypto cs36 39sravanbabu
 
Implementation of RSA Algorithm for Speech Data Encryption and Decryption
Implementation of RSA Algorithm for Speech Data Encryption and DecryptionImplementation of RSA Algorithm for Speech Data Encryption and Decryption
Implementation of RSA Algorithm for Speech Data Encryption and DecryptionMd. Ariful Hoque
 
Al-Gamal-W6(al gamal)-d1-d2
Al-Gamal-W6(al gamal)-d1-d2Al-Gamal-W6(al gamal)-d1-d2
Al-Gamal-W6(al gamal)-d1-d2Fahad Layth
 
Csr2011 june15 12_00_davydow
Csr2011 june15 12_00_davydowCsr2011 june15 12_00_davydow
Csr2011 june15 12_00_davydowCSR2011
 
Number Theory In Cryptography
Number Theory In CryptographyNumber Theory In Cryptography
Number Theory In CryptographyAadya Vatsa
 
8 queens problem using back tracking
8 queens problem using back tracking8 queens problem using back tracking
8 queens problem using back trackingTech_MX
 

What's hot (20)

Analysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dAnalysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent d
 
Solutions to online rsa factoring challenges
Solutions to online rsa factoring challengesSolutions to online rsa factoring challenges
Solutions to online rsa factoring challenges
 
RSA without Padding
RSA without PaddingRSA without Padding
RSA without Padding
 
Cyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionCyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor Function
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
 
1508.07756v1
1508.07756v11508.07756v1
1508.07756v1
 
RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2
 
Data Security Using Elliptic Curve Cryptography
Data Security Using Elliptic Curve CryptographyData Security Using Elliptic Curve Cryptography
Data Security Using Elliptic Curve Cryptography
 
Spreading Rumors Quietly and the Subgroup Escape Problem
Spreading Rumors Quietly and the Subgroup Escape ProblemSpreading Rumors Quietly and the Subgroup Escape Problem
Spreading Rumors Quietly and the Subgroup Escape Problem
 
Crypto cs36 39
Crypto cs36 39Crypto cs36 39
Crypto cs36 39
 
Implementation of RSA Algorithm for Speech Data Encryption and Decryption
Implementation of RSA Algorithm for Speech Data Encryption and DecryptionImplementation of RSA Algorithm for Speech Data Encryption and Decryption
Implementation of RSA Algorithm for Speech Data Encryption and Decryption
 
Al-Gamal-W6(al gamal)-d1-d2
Al-Gamal-W6(al gamal)-d1-d2Al-Gamal-W6(al gamal)-d1-d2
Al-Gamal-W6(al gamal)-d1-d2
 
Csr2011 june15 12_00_davydow
Csr2011 june15 12_00_davydowCsr2011 june15 12_00_davydow
Csr2011 june15 12_00_davydow
 
RSA algorithm
RSA algorithmRSA algorithm
RSA algorithm
 
Network security CS2
Network security CS2Network security CS2
Network security CS2
 
Ntewrok secuirty cs7
Ntewrok secuirty cs7Ntewrok secuirty cs7
Ntewrok secuirty cs7
 
Number Theory In Cryptography
Number Theory In CryptographyNumber Theory In Cryptography
Number Theory In Cryptography
 
PKC&RSA
PKC&RSAPKC&RSA
PKC&RSA
 
Network security cs5
Network security cs5Network security cs5
Network security cs5
 
8 queens problem using back tracking
8 queens problem using back tracking8 queens problem using back tracking
8 queens problem using back tracking
 

Similar to Active Attacks on DH Key Exchange

Diffie hellman key exchange algorithm
Diffie hellman key exchange algorithmDiffie hellman key exchange algorithm
Diffie hellman key exchange algorithmSunita Kharayat
 
Demystifying Zero Knowledge Proofs [FINAL].pptx
Demystifying Zero Knowledge Proofs [FINAL].pptxDemystifying Zero Knowledge Proofs [FINAL].pptx
Demystifying Zero Knowledge Proofs [FINAL].pptxRedWhite12
 
On deriving the private key from a public key
On deriving the private key from a public keyOn deriving the private key from a public key
On deriving the private key from a public keyDharmalingam Ganesan
 
Introduction to Elliptic Curve Cryptography
Introduction to Elliptic Curve CryptographyIntroduction to Elliptic Curve Cryptography
Introduction to Elliptic Curve CryptographyDavid Evans
 
Elliptic Curve Cryptography for those who are afraid of maths
Elliptic Curve Cryptography for those who are afraid of mathsElliptic Curve Cryptography for those who are afraid of maths
Elliptic Curve Cryptography for those who are afraid of mathsMartijn Grooten
 
Cyber Security Part-3.pptx
Cyber Security Part-3.pptxCyber Security Part-3.pptx
Cyber Security Part-3.pptxRavikumarVadana
 
Subtract integers
Subtract integersSubtract integers
Subtract integersjfincel32
 
DISCRETE LOGARITHM PROBLEM
DISCRETE LOGARITHM PROBLEMDISCRETE LOGARITHM PROBLEM
DISCRETE LOGARITHM PROBLEMMANISH KUMAR
 
Semana 14 ecuacion cuadratica álgebra-uni ccesa007
Semana 14   ecuacion cuadratica  álgebra-uni ccesa007Semana 14   ecuacion cuadratica  álgebra-uni ccesa007
Semana 14 ecuacion cuadratica álgebra-uni ccesa007Demetrio Ccesa Rayme
 
Zero Knowledge Proofs: What they are and how they work
Zero Knowledge Proofs: What they are and how they workZero Knowledge Proofs: What they are and how they work
Zero Knowledge Proofs: What they are and how they workAll Things Open
 
module4_dynamic programming_2022.pdf
module4_dynamic programming_2022.pdfmodule4_dynamic programming_2022.pdf
module4_dynamic programming_2022.pdfShiwani Gupta
 
With Math - Diffie-Hellman Rick.ppt
With Math - Diffie-Hellman Rick.pptWith Math - Diffie-Hellman Rick.ppt
With Math - Diffie-Hellman Rick.pptishaankumar39
 
Cryptography-Diffie Hellman Key Exchange Algorithm.pptx
Cryptography-Diffie Hellman Key Exchange Algorithm.pptxCryptography-Diffie Hellman Key Exchange Algorithm.pptx
Cryptography-Diffie Hellman Key Exchange Algorithm.pptxssuser7e0a0e
 

Similar to Active Attacks on DH Key Exchange (20)

Ecc2
Ecc2Ecc2
Ecc2
 
Diffie hellman key exchange algorithm
Diffie hellman key exchange algorithmDiffie hellman key exchange algorithm
Diffie hellman key exchange algorithm
 
Demystifying Zero Knowledge Proofs [FINAL].pptx
Demystifying Zero Knowledge Proofs [FINAL].pptxDemystifying Zero Knowledge Proofs [FINAL].pptx
Demystifying Zero Knowledge Proofs [FINAL].pptx
 
P10co982 (2)
P10co982 (2)P10co982 (2)
P10co982 (2)
 
Rsa example
Rsa exampleRsa example
Rsa example
 
On deriving the private key from a public key
On deriving the private key from a public keyOn deriving the private key from a public key
On deriving the private key from a public key
 
Introduction to Elliptic Curve Cryptography
Introduction to Elliptic Curve CryptographyIntroduction to Elliptic Curve Cryptography
Introduction to Elliptic Curve Cryptography
 
Elliptic Curve Cryptography for those who are afraid of maths
Elliptic Curve Cryptography for those who are afraid of mathsElliptic Curve Cryptography for those who are afraid of maths
Elliptic Curve Cryptography for those who are afraid of maths
 
Rsa Algorithm
Rsa AlgorithmRsa Algorithm
Rsa Algorithm
 
lecture10.pdf
lecture10.pdflecture10.pdf
lecture10.pdf
 
Cyber Security Part-3.pptx
Cyber Security Part-3.pptxCyber Security Part-3.pptx
Cyber Security Part-3.pptx
 
Subtract integers
Subtract integersSubtract integers
Subtract integers
 
DISCRETE LOGARITHM PROBLEM
DISCRETE LOGARITHM PROBLEMDISCRETE LOGARITHM PROBLEM
DISCRETE LOGARITHM PROBLEM
 
Semana 14 ecuacion cuadratica álgebra-uni ccesa007
Semana 14   ecuacion cuadratica  álgebra-uni ccesa007Semana 14   ecuacion cuadratica  álgebra-uni ccesa007
Semana 14 ecuacion cuadratica álgebra-uni ccesa007
 
Zero Knowledge Proofs: What they are and how they work
Zero Knowledge Proofs: What they are and how they workZero Knowledge Proofs: What they are and how they work
Zero Knowledge Proofs: What they are and how they work
 
module4_dynamic programming_2022.pdf
module4_dynamic programming_2022.pdfmodule4_dynamic programming_2022.pdf
module4_dynamic programming_2022.pdf
 
With Math - Diffie-Hellman Rick.ppt
With Math - Diffie-Hellman Rick.pptWith Math - Diffie-Hellman Rick.ppt
With Math - Diffie-Hellman Rick.ppt
 
Other public key systems
Other public key systemsOther public key systems
Other public key systems
 
Cryptography-Diffie Hellman Key Exchange Algorithm.pptx
Cryptography-Diffie Hellman Key Exchange Algorithm.pptxCryptography-Diffie Hellman Key Exchange Algorithm.pptx
Cryptography-Diffie Hellman Key Exchange Algorithm.pptx
 
P1-Chp2-Quadratics.pptx
P1-Chp2-Quadratics.pptxP1-Chp2-Quadratics.pptx
P1-Chp2-Quadratics.pptx
 

More from Dharmalingam Ganesan

Reverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfReverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfDharmalingam Ganesan
 
An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)Dharmalingam Ganesan
 
Dependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDharmalingam Ganesan
 
Requirements driven Model-based Testing
Requirements driven Model-based TestingRequirements driven Model-based Testing
Requirements driven Model-based TestingDharmalingam Ganesan
 
Automated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksAutomated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksDharmalingam Ganesan
 
Reverse Engineering of Module Dependencies
Reverse Engineering of Module DependenciesReverse Engineering of Module Dependencies
Reverse Engineering of Module DependenciesDharmalingam Ganesan
 
Integer security analysis using smt solver
Integer security analysis using smt solverInteger security analysis using smt solver
Integer security analysis using smt solverDharmalingam Ganesan
 
Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitRemote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitDharmalingam Ganesan
 
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleThreat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleDharmalingam Ganesan
 

More from Dharmalingam Ganesan (17)

.NET Deserialization Attacks
.NET Deserialization Attacks.NET Deserialization Attacks
.NET Deserialization Attacks
 
Reverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfReverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdf
 
How to exploit rand()?
How to exploit rand()?How to exploit rand()?
How to exploit rand()?
 
An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)
 
Thank-a-Gram
Thank-a-GramThank-a-Gram
Thank-a-Gram
 
Can I write to a read only file ?
Can I write to a read only file ?Can I write to a read only file ?
Can I write to a read only file ?
 
Dependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private Variables
 
RSA Two Person Game
RSA Two Person GameRSA Two Person Game
RSA Two Person Game
 
Requirements driven Model-based Testing
Requirements driven Model-based TestingRequirements driven Model-based Testing
Requirements driven Model-based Testing
 
Automated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksAutomated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering Tasks
 
RSA cracking puzzle
RSA cracking puzzleRSA cracking puzzle
RSA cracking puzzle
 
Reverse Engineering of Module Dependencies
Reverse Engineering of Module DependenciesReverse Engineering of Module Dependencies
Reverse Engineering of Module Dependencies
 
Software Architecture
Software ArchitectureSoftware Architecture
Software Architecture
 
Integer security analysis using smt solver
Integer security analysis using smt solverInteger security analysis using smt solver
Integer security analysis using smt solver
 
Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitRemote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profit
 
20170605135932210 thank you card7
20170605135932210 thank you card720170605135932210 thank you card7
20170605135932210 thank you card7
 
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleThreat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
 

Recently uploaded

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlPeter Udo Diehl
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxAbida Shariff
 
Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKUXDXConf
 
Intelligent Gimbal FINAL PAPER Engineering.pdf
Intelligent Gimbal FINAL PAPER Engineering.pdfIntelligent Gimbal FINAL PAPER Engineering.pdf
Intelligent Gimbal FINAL PAPER Engineering.pdfAnthony Lucente
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxDavid Michel
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka DoktorováCzechDreamin
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024   Teams Premium - Pretty SecureECS 2024   Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureFemke de Vroome
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераMark Opanasiuk
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeCzechDreamin
 
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationZilliz
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessUXDXConf
 
Enterprise Security Monitoring, And Log Management.
Enterprise Security Monitoring, And Log Management.Enterprise Security Monitoring, And Log Management.
Enterprise Security Monitoring, And Log Management.Boni Yeamin
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyJohn Staveley
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...CzechDreamin
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...CzechDreamin
 
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀DianaGray10
 
Motion for AI: Creating Empathy in Technology
Motion for AI: Creating Empathy in TechnologyMotion for AI: Creating Empathy in Technology
Motion for AI: Creating Empathy in TechnologyUXDXConf
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2DianaGray10
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
 

Recently uploaded (20)

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAK
 
Intelligent Gimbal FINAL PAPER Engineering.pdf
Intelligent Gimbal FINAL PAPER Engineering.pdfIntelligent Gimbal FINAL PAPER Engineering.pdf
Intelligent Gimbal FINAL PAPER Engineering.pdf
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024   Teams Premium - Pretty SecureECS 2024   Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG Evaluation
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
Enterprise Security Monitoring, And Log Management.
Enterprise Security Monitoring, And Log Management.Enterprise Security Monitoring, And Log Management.
Enterprise Security Monitoring, And Log Management.
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
 
Motion for AI: Creating Empathy in Technology
Motion for AI: Creating Empathy in TechnologyMotion for AI: Creating Empathy in Technology
Motion for AI: Creating Empathy in Technology
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 

Active Attacks on DH Key Exchange

  • 1. Active Attacks on DH Key Exchange Dr. Dharma Ganesan, Ph.D.,
  • 2. Table of Contents ● Objectives of the presentation ● Cryptography problem - Secret Key Exchange ● Cryptanalysis - How to break the crypto system ● Open problems ● Conclusion 2
  • 3. Objectives ● Demonstrate how the basic Diffie-Hellman (DH) key exchange works ● Demonstrate how an active attacker can edit DH parameters ● Demonstrate how the man-in-the-middle obtains the shared secret key ○ when DH is used without digital signature 3
  • 4. Alice Encrypts - Eve sees gibberish - Bob Decrypts 4 Hello Bob Encryption Algorithm (open to all) Secret key K 01534236 Secret Key K Decryption Algorithm (open to all) Hello Bob Note: The same secret key K is used by encryption and decryption algorithms Kerckhoff’s principle: The enemy (Eve) knows the encryption and decryption algorithms, but not the key
  • 5. Problem: sender and receiver need the same key 5 Key K Key K ● Alice and Bob are too far away from each other ● They never met each other ● They cannot exchange the secret key publicly (Eve is listening) ● How can they arrive at the same secret key K?
  • 6. 6 We have been (unknowingly) using the mod notation Let’s go to bed @ 21 hour 21 ≡ 9 (mod 12) Note: When 21 is divided by 12, 9 is the remainder What is 5*8 on this clock? 5*8 = 40 ≡ 4 (mod 12) Gauss developed the theory of modular arithmetic
  • 7. 7 Cryptographers love mod and primes Cryptographers view this clock as follows: Z* 13 = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12} They use mod 13, which is a prime number Z* p = {1, 2, 3, …, p-1} i 1 2 3 4 5 6 7 8 9 10 11 12 2i 2 4 8 3 6 12 11 9 5 10 7 1 For example, 24 ≡ 3 (mod 13) 2 is a generator of this clock because it generates all hours from 1..12
  • 8. Why cryptographers use mod and one-way functions? 8 ● In a clock, patterns are not that obvious to detect for Eve ● For example, 26 is greater than 27 in mod 13 ● Some problems are difficult to answer (without seeing the below table) ● For example, 2i ≡ 11 (mod 13), can you quickly find the i? i 1 2 3 4 5 6 7 8 9 10 11 12 2i 2 4 8 3 6 12 11 9 5 10 7 1 E a s y H a r d Cryptographers use one-way functions: Easy in one direction, but hard the other
  • 9. Power rule of exponents (23 )4 = (23 )(23 )(23 )(23 ) = 212 (24 )3 = (24 )(24 )(24 ) = 212 So, (23 )4 = (24 )3 In general, (g𝑥 )𝑦 = (g 𝑦 )𝑥 = (g 𝑥𝑦 ) [Proof: Exercise] 9
  • 10. Diffie-Hellman Key Exchange Algorithm ● In 1970s, they solved the problem of key exchange! ○ Using an one-way function (easy to compute, hard to reverse) ● Alice and Bob arrive at a shared secret key k ○ Using the power rule of exponents (no courier service) ● Eavesdropper Eve cannot easily derive the secret key k ○ Takes billions of years to solve by computers (at this time of writing) ● Diffie, W., and Hellman, M. New directions in cryptography ○ IEEE Trans. Inform. Theory IT-22, 6 (Nov. 1976), 644-654 10 Prof. Hellman (H) Diffie (D)
  • 11. 11 Double the hours 5 times (i.e., 25 mod 13) Double the hours 4 times (i.e., 24 mod 13) Send the clock to Bob Send the clock to Alice Key Exchange - Visual Demo Triple the hours 5 times (i.e., 35 mod 13) Sixfold the hours 4 times (i.e., 64 mod 13) Both Alice and Bob arrive at the same key (9) Note: 5 and 4 are secrets
  • 12. 12 Pick a random number 𝑥 Pick a random number 𝑦 Compute A = g𝑥 mod p Compute B = g𝑦 mod p Secret K = B𝑥 mod p Secret K = A𝑦 mod p Send A to Bob Send B to Alice Both Alice and Bob have the same secret key Eve sees A and B, but not 𝑥, 𝑦, or K Key Exchange Algorithm - Core Idea (assume that g and p are public)
  • 13. 13 Pick a random number 𝑥 = 5 Pick a random number 𝑦 = 4 Compute A = 25 mod 13 Compute B = 24 mod 13 Secret K = 35 mod 13 = 9 Secret K = 64 mod 13 = 9 Send A = 6 to Bob Send B = 3 to Alice Both Alice and Bob have the secret key 9 DH Key Exchange - Example (g=2, p=13)
  • 14. 14 How can Eve recover the secret key K? Option 1: ● Eve knows that the secret key can be in {1, 2, … 12} ● She can just try 12 possibilities to decrypt messages i 1 2 3 4 5 6 7 8 9 10 11 12 2i 2 4 8 3 6 12 11 9 5 10 7 1 Option 2: ● Eve builds the above table and solves B = g𝑦 mod p ● For example, B = 6 means secret 𝑦 = 5 Other Options?
  • 15. Cryptographers use a very large clock to trick Eve 15 ● Prime p is made of at least 600 digits or so (in 2019) ○ p shall satisfy more properties (not covered here) ● Difficult for Eve to construct the table of all possibilities ● Eve will have to live for several billion years to break it ● Or, she must solve some cool problems (next slide) p-1
  • 16. Some cool problems to solve 16 ● Problem 1: Given B, g, and p, efficiently find y such that B = g𝑦 mod p ● Problem 2: Given g𝑥 mod p and g𝑦 mod p, find g𝑥𝑦 mod p ○ The exponents 𝑥 and 𝑦 are not known to Eve, of course ● Problem 3: Find the prime factors p and q of N such that N = p*q ○ I did not talk about this problem in this presentation ○ See https://www.slideshare.net/dganesan11
  • 17. Let’s give more power to Eve 17 ● Let’s allow Eve to edit DH parameter g ● In particular, Eve will choose g from {1, p, p-1} ● Similarly, let’s allow Eve to edit the public keys A and B of Alice and Bob ● We will show that in all these cases Eve can recover the secret key K
  • 18. 18 Pick a random number 𝑥 Pick a random number 𝑦 Compute A = g𝑥 mod p = 1 Compute B = g𝑦 mod p = 1 Secret K = B𝑥 mod p = 1 Secret K = A𝑦 mod p = 1 Send A = 1 to Bob Send B = 1 to Alice Eve replaced the g by 1 Eve knows the secret key K = 1 Case 1: Eve fixed the generator g = 1
  • 19. 19 ~/crypto$ p=13 ~/crypto$ g=1 ~/crypto$ java -ea Basic_DH $p $g *** Secret Session Key = ****1 ● p = 13 and g=1 ● Eve learns that the secret key must be one
  • 20. 20 Pick a random number 𝑥 Pick a random number 𝑦 Compute A = p𝑥 mod p = 0 Compute B = p𝑦 mod p = 0 Secret K = B𝑥 mod p = 0 Secret K = A𝑦 mod p = 0 Send A = 0 to Bob Send B = 0 to Alice Eve replaced the g by p Eve knows the secret key K = 0 Case 2: Eve fixed the generator g = p
  • 21. 21 ~/crypto$ p=13 ~/crypto$ g=13 ~/crypto$ java -ea Basic_DH $p $g *** Secret Session Key = ****0 ● p = 13 and g=13 ● Eve learns that the secret key must be zero
  • 22. 22 Pick a random number 𝑥 Pick a random number 𝑦 Compute A = (p-1)𝑥 mod p Compute B = (p-1)𝑦 mod p Secret K = B𝑥 mod p = 1 Secret K = A𝑦 mod p = 1 Send A to Bob Send B to Alice Eve replaced the g by p-1 Eve knows the secret key K = 1 or K = p-1 Case 3: Eve fixed the generator g = p-1
  • 23. g = p-1 23 ● Eve replaces g by p-1 ● Alice will compute her public key: A = gx mod p = (p-1)x mod p ● Bob will compute his public key: B = gy mod p = (p-1)y mod p ● Both Alice and Bob will arrive at K = (p-1)xy mod p ● If x (or y) is even, then K = (p-1)xy mod p = 1 ● If x and y are odd, then K = (p-1)xy mod p = (p-1) ● So, Eve learned the secret key K can be either 1 or (p-1)
  • 24. 24 ~/crypto$ p = 13 ~/crypto$ g = 12 ~/crypto$ java -ea Basic_DH $p $g *** Secret Session Key = ****1 ~/crypto$ java -ea Basic_DH $p $g *** Secret Session Key = ****12 ● p = 13 and g=12 ● Eve learns that the secret key must be 1 or p-1
  • 25. 25 Let’s allow Eve to edit public keys A and B only
  • 26. Case 1: What if Eve sets public keys A and B to p? 26 ● Recall that Alice and Bob send their public keys on the public channel ● What if Eve intercepts and modifies the public keys? ● Case 1: For example, Eve replaces the public keys as follows: ○ Eve replaces Alice’s public key A by p ○ Eve also replaces Bob’s public key B by p ● Alice will compute the private key: K = Ax mod p = px mod p = 0 ○ K = 0 because px divides p ○ Similarly, Bob will compute the private key: K = Bx mod p = px mod p = 0 ● Eve knows the secret key K = 0
  • 27. 27 Pick a random number 𝑥 Pick a random number 𝑦 Compute A = g𝑥 mod p Compute B = g𝑦 mod p Secret K = p𝑥 mod p = 0 Secret K = p𝑦 mod p = 0 Send p to Bob Send p to Alice Eve replaced the public keys A and B by p Eve knows the secret key K = 0 Case 1: Eve edits the public keys A and B by p
  • 28. Case 2:What if Eve sets public keys A and B to p-1? 28 ● Eve replaces the public keys A and B to p-1 ● Alice will compute the private key: K = Ax mod p = (p-1)x mod p ● If the unknown x is even, then K = (p-1)x mod p = 1 ● If the unknown x is odd, then K = (p-1)x mod p = (p-1)x-1 (p-1) mod p = (p-1) ● So, Eve learned the secret key K can be either 1 or (p-1)
  • 29. 29 Pick a random number 𝑥 Pick a random number 𝑦 Compute A = g𝑥 mod p Compute B = g𝑦 mod p Secret K = (p-1)𝑥 mod p Secret K = (p-1)𝑦 mod p Send (p-1) to Bob Send (p-1) to Alice Eve replaced the public keys A and B by p-1 Eve knows the secret key K =1 or (p-1) Case 2: Eve edits the public keys A and B by p-1
  • 30. 30 ~/crypto$ echo $p 13 ~/crypto$ echo $g 2 ~/crypto$ echo $MiTm true ~/crypto$ java -ea Basic_DH $p $g $MiTm *** Secret Session Key = ****12 ~/crypto$ java -ea Basic_DH $p $g $MiTm *** Secret Session Key = ****1 ~/crypto$ java -ea Basic_DH $p $g $MiTm Exception in thread "main" java.lang.AssertionError at Basic_DH.main(Basic_DH.java:70) ● p = 13 and g=2 ● Eve learns that the secret key can be either 1 or 12 only ● However, Alice and Bob may notice that something is wrong because the shared secret key may be different ● For example, Alice’s K = 1 and Bob’s K = 12 ● My demo program throws an exception if Alice and Bob have different secret keys
  • 31. Conclusion 31 ● If we allow Eve to edit g, then she can fix the secret key! ● Usually, in practice, the value of g and p are hard-coded ● Nevertheless, it is interesting to see what Eve can do if we allow her to edit g ● Demo shows that by editing the public keys, the secret key is exposed ● DH key exchange algorithm should not be used without digital signature ● Otherwise, man-in-the-middle can alter DH parameters and public keys ● These active attacks were part of Crypto exercise problems ○ (e.g., Textbooks and online cryptopal challenge set 5)
  • 32. Appendix - Proof of concept (not for production use) 32
  • 33. 33 public class Basic_DH { private BigInteger p = BigInteger.valueOf(2); private BigInteger g = BigInteger.valueOf(2); public Basic_DH(BigInteger p, BigInteger g) { this.p = p; this.g = g; } private Basic_DH(){} public BigInteger generatePublicKey(BigInteger privKey) { return g.modPow(privKey, p); } public BigInteger generatePrivKey() { while(true) { BigInteger privKey = new BigInteger(p.bitLength(), new SecureRandom()); if(privKey.compareTo(p) < 0) return privKey; } } public BigInteger generateSessionKey(BigInteger pubKey, BigInteger privKey) { return pubKey.modPow(privKey, p); } }
  • 34. 34 BigInteger p = new BigInteger(args[0]); BigInteger g = new BigInteger(args[1]); if(args.length > 2) { MitM_Param_Injection = Boolean.parseBoolean(args[2]); } Basic_DH dh = new Basic_DH(p, g); BigInteger x = dh.generatePrivKey(); BigInteger A = dh.generatePublicKey(x); BigInteger y = dh.generatePrivKey(); BigInteger B = dh.generatePublicKey(y); if(MitM_Param_Injection) { B = p.subtract(BigInteger.ONE); A = p.subtract(BigInteger.ONE); } BigInteger alice_sk = dh.generateSessionKey(B, x); BigInteger bob_sk = dh.generateSessionKey(A, y); assert alice_sk.equals(bob_sk); System.out.println("*** Secret Session Key = ****" + alice_sk);