Cryptography Reference
In-Depth Information
protocol run and cannot be linked with either Alice or Bob. Neither is there
any assurance that these values are fresh.
Mutual data origin authentication
. This is not provided, by the same argument
as above.
Mutual key establishment
. Alice and Bob do establish a common symmetric key
at the end of the Diffie-Hellman protocol, so this goal is achieved.
Key confidentiality
. The shared value
Z
AB
=
g
ab
is not computable by anyone
other than Alice or Bob. Neither is any key
K
AB
derived from
Z
AB
. Thus this
goal is achieved.
Key freshness
. Assuming that Alice and Bob choose fresh private keys
a
and
b
then
Z
AB
should also be fresh. Indeed, it suffices that just one of Alice and Bob
choose a fresh private key.
Mutual key confirmation
. This is not provided, since neither party obtains any
explicit evidence that the other has constructed the same shared value
Z
AB
.
Unbiased key control
. Both Alice and Bob certainly contribute to the generation
of
Z
AB
. Technically, if Alice sends
g
a
to Bob before Bob generates
b
, then
Bob could 'play around' with a few candidate choices for
b
until he finds a
b
that results in a
Z
AB
=
g
ab
that he particularly 'likes'. This type of 'attack' is
somewhat theoretical since, in practice, the values involved are so large that
it would be very hard to conduct (Bob would probably have to try out too
many choices of
b
). Hence it would seem reasonable to argue that joint (and
hence unbiased) key control is achieved since any 'manipulation' that Bob can
conduct is in most cases rather contrived.
Thus, from the above analysis, the Diffie-Hellman protocol achieves the goals
relating to key establishment, but not the goals relating to authentication. We will
now show that this is sufficiently problematic that this basic version of the Diffie-
Hellman protocol is not normally implemented without further modification.
MAN-IN-THE-MIDDLE ATTACK ON THE DIFFIE-HELLMAN PROTOCOL
The
man-in-the-middle attack
is applicable to any situation where an attacker
(Fred, in Figure 9.11) can intercept and alter messages sent on the communication
channel between Alice and Bob. This is arguably the most well known attack
against a cryptographic protocol and is one that the designers of any cryptographic
protocol need to take measures to prevent.
The man-in-the middle attack works as follows (where all calculations are
modulo
p
):
1. Alice begins a normal run of theDiffie-Hellman protocol depicted in Figure 9.10.
She randomly generates a positive integer
a
and calculates
g
a
. Alice sends
g
a
to Bob.
2. Fred intercepts this message before it reaches Bob, generates his own positive
integer
f
, and calculates
g
f
. Fred then claims to be Alice and sends
g
f
to Bob
instead of
g
a
.
