Secure Key Exchange over an Insecure Medium with Public Key Cryptography - Implementing SSL/TLS Using Cryptography and PKI

Cryptography Reference

In-Depth Information

send_to_server( &Yc );

receive_from_server( &Ys );

dh_finalize( p, &Ys, b, &Z );

// ... use “Z” as shared key

Notice also that the client doesn't need to wait for Ys before computing Yc ,

assuming p and g are known to both sides. In SSL, the server picks p and g , and

transmits them along with Ys , but Diffi e-Hellman doesn't actually require that

key exchange be done this way.

One particularly interesting difference between RSA and DH is that RSA is

very, very picky about what values you can use for e , d , and n. As you saw ear-

lier, not every triple of numbers works (in fact, relative to the size of all natural

numbers, very few do). However, DH key exchange works with essentially any

random combination of p , g , a , and b . What guidance is there for picking out

“good” values? Of course, you want to use large numbers, especially for p ; other

than using a large number — 512-bit, 1024-bit, and so on — you at least want to

ensure that the bits are securely randomly distributed.

It also turns out that some choices of p leave the secret Z vulnerable to eaves-

droppers who can employ the Pohlig-Hellman attack. The attack itself, originally

published by Stephen Pollig and Martin Hellman in the journal “IEEE Transactions

on Information Theory” in 1978, is mathematically technical, but it relies on a

p 1 that has no large prime factors. The math behind the attack itself is outside

of the scope of this topic, but guarding against it is straightforward, as long as

you're aware of the risk. Ensure that the choice p 1 is not only itself large,

but that it includes at least one large prime factor. RFC 2631 recommends that

p

1 where q is a large prime number and j is greater than or equal to 2.

Neither q nor j needs to be kept secret; in fact, it's recommended that they be

shared so that the receiver can verify that p is a good choice.

In most implementations, g is actually a very small number — 2 is a popular

choice. As long as p , a , and b are very large, you can get away with such a small

g and still be cryptographically secure.

jq

Getting More Security per Key Bit: Elliptic Curve

Cryptography

Although the concept and theory of elliptic curves and their application in

cryptography have been around for quite a while (Miller and Koblitz described

the fi rst ECC cryptosystem in 1985), elliptic curves only managed to fi nd their

Search WWH ::

Custom Search

Home