Cryptography Reference
In-Depth Information
So, after decoding the OID, you then need to ASN.1 decode the bit string as
yet another ASN.1 value to extract the actual public key.
If you recall, regular (e.g. non-elliptic-curve) Diffi e-Hellman key exchange
doesn't involve a public key the way RSA does. There were two parameters
needed, though: the generator
g
and the fi eld parameter
p
. The contents of the
public key fi eld, in this case, is simply:
DHPublicKey ::= INTEGER -- public key, y = g^x mod p
Of course, the public
y
value is useless to the client without
g
and
p
. You
might expect to see them in the public key structure, as you see with
n
in
the
RSAPublicKey
, but instead the Diffi e-Hellman generator and group are
passed as algorithm parameters. Notice in the declaration of algorithm in
SubjectPublicKeyInfo
that the type is actually
AlgorithmIdentifier
. This
includes an OID identifying the algorithm, but allows optional parameters to
be included:
AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL }
The parameters fi eld is empty for RSA, but for DH, it's defi ned as
DomainParameters ::= SEQUENCE {
p INTEGER, -- odd prime, p=jq +1
g INTEGER, -- generator, g
q INTEGER, -- factor of p-1
j INTEGER OPTIONAL, -- subgroup factor
validationParms ValidationParms OPTIONAL }
ValidationParms ::= SEQUENCE {
seed BIT STRING,
pgenCounter INTEGER }
HOW TO AVOID A SMALL SUBGROUP ATTACK USING THE
DIFFIE-HELLMAN KEY
If you recall the discussion of Diffi e-Hellman key exchange in Chapter 3, you
may remember that
p
and
g
are the only two parameters that you need in
order to perform a key exchange. Each side chooses a random secret number
a
or
b
, sends the other side y = g
a
%p, and the receiving side computes y
b
%p to
complete the key agreement (refer back to Chapter 3 if this is still a bit fuzzy).
So — you may wonder — what are those extra parameters,
q
,
j
, and
validation-
Parms
for? Well, when
p
and
g
are fi xed parameters — used over and over for
multiple key exchanges — a poorly chosen
p
value can open the user to an
attack called the
small subgroup attack,
described by Chae Hoon Lim and Pil
Joon Lee in their paper, “A Key Recovery Attack on Discrete Log-based Schemes
Using a Prime Order Subgroup.” The attack itself is mathematically complex,
and I won't go into the details here. As it turns out, SSL/TLS ordinarily uses
Search WWH ::
Custom Search