Both parties start with a publicly known "base color." They mix it with a secret color and exchange the result with the other party.The other party adds their secret color to the received mix and they both end up with the same result. Diffie-Hellman: Mixing the color of securityThe problem we are facing with key exchange is of two parties agreeing on a shared secret over an insecure channel that can be observed by an attacker (for simplicity, let’s not consider an attacker that is also able to modify exchanged messages, this is solved by authentication).From a high level perspective, key exchange algorithms work similar to mixing paint, relying on the property that it is easy to mix them, but very hard to separate them back. We’ve also published a set of primality certificates to allow for quicker verification of their primality.At the end of this article you can find instructions on how to use this tool, called ecpp-verifier, to verify the primality certificates or how to check that all the primes used by OpenSSH have matching certificates. Because the key exchange is vulnerable to attacks if the number is not prime, or not a special kind of prime, the Red Hat Crypto Team has developed a tool to provide mathematical proof that the numbers we distribute are indeed primes of that special type and thus aren’t the weakest link in the security of systems that depend on them. In one variant of the Diffie-Hellman key exchange one of the parameters needs to be a large prime number.Those primes will be used for diffie-hellman-group-exchange-sha1, diffie-hellman-group-exchange-sha256, or gss-gex-sha1-* key exchanges. At the same time, some protocols, like SSH and TLS before TLS 1.3, allow the server to pick arbitrary numbers as the basis of the FFDH key exchange.In particular, in the OpenSSH package, we distribute the /etc/ssh/moduli file that includes tens of prime numbers of different sizes. There are two functions with the required properties commonly used in cryptography: exponentiation modulo prime (forming Finite Field Diffie-Hellman, or FFDH) and point multiplication over elliptic curve, forming Elliptic Curve Diffie-Hellman (ECDH).In Red Hat Enterprise Linux (RHEL) we support ECDH over only a select set of well-known curves that have been extensively examined by the cryptographic community, there is nothing more we need to do to show their security.Similarly party B will take the number x and raise it to power b modulo p.Since x b=g a b=g a·b=g b·a=g b a=y a mod p, both A and B get the same result without exchanging either a or b explicitly or a value that allows easy calculation of either a or b.You may wonder why guessing a or b is hard, given that we have logarithms.The reason is that we need to calculate discrete logarithms, for which there is no efficient general algorithm. The exponents are secret and aren’t shared with the other party.The key exchange will look something like this:Party A will select a random number a between 1 and p, calculate the value of base g to the power a modulo p, let’s call it x, and send it to party B.Party B will do similar steps: select a random number b between 1 and p, calculate the value of base g to the power b modulo p, let’s call it y, and send the result to party A.Upon receiving the value from B, party A will take that number y and raise it to power a modulo p. The parameters we need are a prime number p (more about it later), the number which we will be exponentiating g (called the base or generator) and two exponents, let’s call them a and b. Finite Field Diffie-HellmanAs I wrote previously, finite field Diffie-Hellman uses exponentiation modulo prime to agree on a shared secret.
![]() ![]() Diffie Hellman Key Exchange Process How To Use ThisThen we can pick a number between 2 and 14, say 8, as a new guess. Then we can guess 14, which gives a value of 4 14 = 268435456, which is too much. That gives a value of 4 2 = 16, which is too little. For y we can start with a guess of 2. Since the highest meaningful exponent is p-1 (so 12 in this example, more on this later in the article), let's try a smaller one, a 7. With the first guess of 2 we get 3. But if we use those exponents modulo 13 instead, then we’ll get x = 9 and y = 9.Let's try to use the same algorithm to find the a and b. Then we can guess 10, which will give the value we look for: 1048576.We can use a similar process to search for the exponent of x to arrive at the value of a = 4. That tells us that the value we're looking for is between 8 and 14. Kia software update ecuTaking that modulo 13 does a good job at hindering the ability to reverse the operation, and it gets even better with larger and more carefully selected numbers.While using many sufficiently large numbers as p will give us a secure key exchange if we perform additional checks on shared values, there is a class of prime numbers we can use for p that allows us to skip the computationally intensive checks, and use the smallest possible number for the expected level of security, those are the so-called safe primes. It’s not as simple as zeroing in on the value of the right size, and much closer to poking around in the dark. In fact, this is known as the discrete logarithm problem. Or even a not-so-simple one. If we try 5, we'll get 10.If you don’t see the pattern, don’t be too hard on yourself: there isn’t a simple one. But we can keep factoring p-1. Then instead of guessing the shared secret among all the numbers between 1 and p-1, they need to look through just the subgroup.While it doesn’t look like much of a difference for the example with 13, as the subgroup of 3 is only 4 times smaller than the prime, for numbers we commonly use in cryptography, the full group will be at least as large as 2 2048 (or 10 616) while the subgroup can be small, for example, comparable to 2 64 (or 10 19), in other words, many orders of magnitude smaller.Now, since for any odd prime p, p-1 will be even (and each prime other than 2 is an odd number), there will always be a subgroup of size 2, so that’s unavoidable. See Fermat’s little theorem for a proof of this.An attacker is actually interested in such small subgroups, as if they know that the key share is part of the small subgroup, the shared secret will be too. Because of that, we call those repeating patterns "groups", and for values that generate smaller repeating patterns "subgroups". Since 13 - 1 = 12, and 12 has 1, 2, 3, 4, 6, and 12 as divisors, those are the only lengths that we will find.The second observation we can make is that if we take the result of exponentiation of a given number, and start exponentiating it further (for example for 4 we take 4² = 3 mod 13) the only numbers we will get in the new repeating pattern will be the numbers we already saw in the repeating pattern of 4 (in the example with 3, all of 1, 3, and 9 are present in the repeating pattern of 4). Washington state driver license calculatorThat means that if we eliminate the results of the exponentiation of 1 (which creates a group of size 1) and p-1 (which creates a group of size 2), the only possible group sizes that remain are q and p-1.Both are similar in size to the prime p we use and therefore safe. That’s actually helpful for avoiding small subgroups.If we consider a prime number p = 2 q + 1, where q is also prime, then the only subgroups (pattern lengths) possible are: 1, 2, q, and p-1, as those are the only divisors of p-1.
0 Comments
Leave a Reply. |
AuthorTodd ArchivesCategories |