Cryptography Reference
In-Depth Information
A
E
B
X
−−−−−−−−−→
pick
x
,
X
←
g
x
X
−−−−−−−−−→
Y
←−−−−−−−−−
pick
x
,
X
←
g
x
pick
y
,
Y
←
g
y
Y
←−−−−−−−−−
pick
y
,
Y
←
g
y
g
xy
X
y
,
K
2
←
Y
x
g
x
y
Y
)
x
X
)
y
K
1
←
(
(
K
1
=
)
K
1
←
(
K
2
=
)
K
2
←
(
Figure 9.4.
First Man-in-the-Middle Attack in the Diffie-Hellman Key Agreement Protocol.
This ensures that
g
has an order of
q
(its order must be a factor of
q
which is not 1)
without having to completely factorize
p
1. Note that once we are ensured that
g
spans a group of prime order
q
, then we can pick
x
and
y
in
−
{
0
,...,
q
−
1
}
in the
Diffie-Hellman protocol.
We also notice that A and B must communicate over a channel which really provides
authentication. Otherwise the Diffie-Hellman protocol is vulnerable to the
man-in-the-
middle attack
. Assuming that messages are not authenticated, an adversary E can sit
in the middle and run concurrent protocols with A and B as depicted in Fig. 9.4. Then
E will share a key with A and B separately although A and B think that they share
a key with each other. Here A and B obtain different keys and E continues with an
active attack: she decrypts messages coming from one participant, re-encrypts them,
and sends them to the other participant. She can also make a more subtle attack in which
she no longer has to be active after the key agreement, and A and B obtain the same
key. For this we assume that the order of the group
G
can be written
bw
with
b
-smooth
(e.g.
b
1). In this attack E simply raises
X
and
Y
to the power
w
and get
X
and
Y
so that A and B obtain the same key
K
which is a
w
-th power, i.e. in a subgroup of
smooth order. (In the case where
b
=
1, we obtain
X
=
Y
=
1.) E can thus compute
K
by using the Pohlig-Hellman algorithm. This attack is depicted in Fig. 9.5.
=
Another important property is the notion of
forward secrecy
. This property means
that if any long-term secret key is compromised, then the secrecy of the Diffie-Hellman
key will be preserved. Indeed, this key is meant to be used during a session and to be
discarded afterward. In the case which is described above, both
x
and
y
are
ephemeral
keys which are discarded after the protocol. This means that they cannot be compro-
mised. We can also use a
static
version of the Diffie-Hellman protocol in which
x
and
y
are long-term secret keys. This version does not provide forward secrecy since
disclosure of
x
or
y
eventually compromises
K
.
A
E
B
X
−−−−−−−−−→
pick
x
,
X
←
g
x
X
−−−−−−−−−→
Y
←−−−−−−−−−
X
←
X
w
g
y
pick
y
,
Y
←
Y
←−−−−−−−−−
Y
←
Y
w
g
x
w
,
K
y
x
w
Y
)
x
solve
X
=
X
)
y
K
←
(
←
K
←
(
g
xyw
(
K
=
)
Figure 9.5.
Second Man-in-the-Middle Attack in the Diffie-Hellman Key Agreement Protocol.
Search WWH ::
Custom Search