CIS551 Lecture 10 Notes

2/16/2006

 

Project 2 is now available on the course webpage.  It is due on 3/14/2006.  Please follow the instructions carefully, especially with regards to filenames, to make it easy for automating testing.

 

Diffie-Hellman Key Exchange

 

Symmetric key cryptography only works when both communicating parties share a secret key.  When out-of-band communication is possible, secret keys can be transferred in that manner.  However, how do two parties communicating only over a public communications medium come to share a secret key?

 

The basic idea of the Diffie-Hellman Key Exchange protocol is that each of the communicating parties creates a part of the shared key which they keep private, but they publicy send a something derived from that key, so that all the communicating parties can combine the public part that they received with their own private part to get a common shared key. 

 

There is an analogy in the lecture slides dealing with paint.  We assume that someone who sees a new color of paint cannot discern which other colors were combined to create the new one.  The Diffie-Hellman Key Exchange proceeds like so:

 

1.   Alice chooses a public base color and tells Bart what it is publicly.

2.   Alice also chooses a private color and tells no one.

3.   Bart chooses a private color and tells no one.

4.   Alice mixes her private color with the public color and sends it to Bart.

5.   Bart mixes his private color with the public color and sends it to Alice.

6.   Alice mixes the mixed color that she received from Bart with her private color.

7.   Bart mixes the mixed that he received from Alice with his private color.

8.   Both Alice and Bart have the same shared secret color that no one else can reproduce just by watching their public exchange of colors (since there would be too much of the public color if they just mixed what they saw).

 

The mathematics behind the Diffie-Hellman Key Exchange is basic modular arithmetic.  Recall that the finite field of a prime p is 0, 1, 2, …, p - 1.  A primitive root of prime p is a number that when raised to different exponents mod p generates all the non-zero numbers in the finite field of p.  A primitive root is also called a generator.  For example, 2 is a primitive root of 5 because 2⁰ mod 5 = 1, 2¹ mod 5 = 2, 2² mod 5 = 4, and 2³ mod 5 = 3.  The key feature of a primitive root is that if you are given a primitive root, a prime, and a number generated by raising the primitive root to an unknown power modulo the prime, then it is computationally hard to figure out what the unknown exponent was (for sufficiently large primes).

 

1.   Alice chooses a prime p and a generator g and sends them to Bart publicly.

2.   Alice chooses a private exponent a and sends g^a mod p to Bart.

3.   Bart chooses a private exponent b and sends g^b mod p to Alice.

4.   Alice computes (g^b mod p)^a mod p which equals g^ba mod p.

5.   Bart computes (g^a mod p)^b mod p which equals g^ab mod p.

6.   By the commutative property, g^ba mod p = g^ab mod p, so Bart and Alice have a shared secret.

7.   Onlookers only have p, g, g^a mod p, and g^b mod p.  Since the discrete logarithm problem is computationally hard, they cannot compute a or b easily.  So all they can try to do is (g^a mod p)(g^b mod p) = g^{a + b} mod p, but g^{a + b} mod p is not equal to g^ab mod p, so onlookers do not know the shared secret.

8.   Now Alice and Bart can use their shared secret as the seed to a pseudo-random number generator to produce the same shared secret key for use in a symmetric key algorithm to communicate with confidentiality.

 

However, this pure Diffie-Hellman Key Exchange does not include any authentication mechanism, so it is susceptible to a man-in-the-middle attack.  It could go like this:

 

1.   Alice chooses a prime p and a generator g and sends them to Bart publicly.

2.   Alice chooses a private exponent a and sends g^a mod p to Bart.

3.   The man-in-the-middle (Evil) Eve intercepts g^a mod p from Alice, and instead chooses a private exponent a` and sends g<sup>a`</sup> mod p to Bart.

4.   Bart chooses a private exponent b and sends g^b mod p to Alice.

5.   Eve intercepts g^b mod p from Bart, and instead chooses another private exponent b` and sends g<sup>b`</sup> mod p to Alice.

6.   Alice computes (g^{b`</sup> mod p)<sup>a</sup> mod p which equals g<sup>ab`} mod p as the secret key.

7.   Bart computes (g^{a`</sup> mod p)<sup>b</sup> mod p which equals g<sup>a`b} mod p as the secret key.

8.   Eve computes (g^a mod p)^{b`</sup> mod p which equals g<sup>ab`} mod p as the shared key with Alice and also computes (g^b mod p)^{a`</sup> mod p which equals g<sup>a`b} mod p as the shared key with Bart.

9.   Eve can listen in on the communication between Alice and Bart by intercepting each message from one, decrypting it, and then resending it encrypted with the appropriate shared key to the other, while both Alice and Bart think that they are talking directly to each other.

 

In class, possible alternatives to the Diffie-Hellman Key Exchange were discussed.  Any commutative encryption operation would work for creating a shared secret over a public communications medium.  One possible alternative using RSA is:

 

1.   Alice chooses an RSA keypair with public key K_A and private key k_A, chooses a shared secret key K_S, and sends K_A{K_S} to Bart.

2.   Bart chooses an RSA keypair with public key K_B and private key k_B, and sends K_B{K_A{K_S}} to Alice.

3.   Since RSA is commutative, K_B{K_A{K_S}} = K_A{K_B{K_S}}, Alice can decrypt with her private key and gets k_A{K_A{K_B{K_S}}} = K_B{K_S}, which she then sends to Bart.

4.   Bart decrypts it with his private key to get k_B{K_B{K_S}} = K_S as the shared secret key that no one else knows.

 

Cryptographic Hash Algorithms

 

Hash algorithms have two main properties:

 

1.   Converts a large input into a fixed length output known as a hash, digest, or summary.

2.   Deterministic - always produces the same output from the same input.

 

Cryptographic hash algorithms (also known as one-way hash functions) have additional properties:

 

3.   Hard to invert - given a hash, you cannot easily find an input that produced it.

4.   Hard to find a collision for a given input - given an input and its hash, you cannot easily find another input that produces the same hash.

5.   Hard to find any collisions - cannot easily craft two inputs that produce the same hash.

6.   Diffusion - the hashes for inputs are uniformly distributed throughout the space of possible hashes, especially that the hashes for similar inputs are generally quite dissimilar (although this is usually a good property even for non-cryptographic hash algorithms).

 

Hashing is useful for verifying the integrity of a message.  Rather than sending the entire message multiple times to ensure that it is received correctly, just send the message and its hash and if the hash received does not match the hash of the message received, then there has been an error.  (Note that this method can only show that there are errors, not that there aren’t any errors.  An attacker could easily replace the message and then replace the hash with the correct hash of the new message.)  This method is used in network traffic for parity bits, checksums, and CRCs.  Hashes can also be used for fingerprinting files for virus scanners.

 

The hash algorithms are collision resistant.  Measuring how long it should take computationally in order to find inputs that have a hash collision is a relative measure of how secure a hash algorithm is.

 

MD5 is a popular hash function, although several serious flaws have been found in its design and numerous collisions have been found..

 

SHA-1 is the most commonly used hash algorithm today.  It divides the input into 512-bit blocks and processes each block as 16 32-bit words, with 80 rounds for munging all the bits together using multiple binary operations (binary shifts, XOR, AND) along with the use of some special constants.  It is the successor to SHA-0.  Weaknesses have been found in both SHA-0 and SHA-1.  Recently, it has been shown that two messages that have a hash collision can be found in 2⁶³ operations (which is significantly less than the original 2⁸⁰ operations that were thought to be required).  However, just because two messages have a hash collision does not mean that they are semantically meaningful and can be used for an attacker’s gain.  SHA-1 is currently approved by the U.S. Government as a secure hash algorithm.

 

There are four flavors of SHA-2, namely SHA-224, SHA-256, SHA-384, and SHA-512, based on the number of bits in the hash produced.  SHA-2 is a more recent algorithm and has not been scrutinized as much, but no weaknesses have been found yet.  All four flavors of SHA-2 are also currently approved by the U.S. Government as secure hash algorithms.