Diffie-Hellman: Difference between revisions
imported>Sandy Harris No edit summary |
imported>Howard C. Berkowitz No edit summary |
||
| Line 1: | Line 1: | ||
The '''Diffie-Hellman key agreement protocol''' (also just Diffie-Hellman or DH) allows two parties without any initial shared secret to create one in a manner immune to eavesdropping. Once they have done this, they can communicate privately by using that shared secret as a [[cryptographic key]] for a [[block cipher]] or a [[stream cipher]], or as the basis for a further key exchange. | {{subpages}} | ||
{{TOC-right}} | |||
The '''Diffie-Hellman key agreement protocol''' (also just Diffie-Hellman or DH) allows two parties without any initial [[shared secret]] to create one in a manner immune to eavesdropping. Once they have done this, they can communicate privately by using that shared secret as a [[cryptographic key]] for a [[block cipher]] or a [[stream cipher]], or as the basis for a further key exchange. | |||
The protocol is secure against all passive attacks, but it is not at all resistant to active [[man-in-the-middle attack]]s. If a third party can impersonate Bob to Alice and vice versa, then no useful secret can be created. Authentication of the participants is a prerequisite for safe Diffie-Hellman key exchange. There are several ways to do the required authentication. For example, in [[Internet Key Exchange]] (IKE, | The protocol is secure against all passive attacks, but it is not at all resistant to active [[man-in-the-middle attack]]s. If a third party can impersonate Bob to Alice and vice versa, then no useful secret can be created. Authentication of the participants is a prerequisite for safe Diffie-Hellman key exchange. There are several ways to do the required authentication. For example, in [[Internet Key Exchange]] (IKE),<ref name=RFC4306>{{citation | ||
| id = RFC4306 | |||
| title = Internet Key Exchange (IKEv2) Protocol | |||
| editor = C. Kaufman, | |||
| date = December 2005 | |||
| url = http://www.ietf.org/rfc/rfc4306.txt}} authentication can be done with a shared secret or with any of several [[public key]] techniques.<ref name=RFC4282>{{citation | |||
| id = RFC5282 | |||
| title = Using Authenticated Encryption Algorithms with the Encrypted Payload of the Internet Key Exchange version 2 (IKEv2) Protocol. | |||
| author= D. Black, D. McGrew | |||
| date = August 2008 | |||
| url = www.ietf.org/rfc/rfc5282.txt}} | |||
}}</ref> In [[Transport Layer Security]] (TLS),<ref name=>{{citation | |||
| id = RFC5246 | |||
| title = The Transport Layer Security (TLS) Protocol Version 1.2. | |||
| author = T. Dierks, E. Rescorla | |||
| date = August 2008 | |||
| url = http://www.ietf.org/rfc/rfc5248.txt}}</ref>it is done by exchange of [[X.509]] Certificates. | |||
The Diffie-Hellman method is based on the [[discrete logarithm]] problem and is secure unless someone finds an efficient solution to that problem. It can use any of several variants of discrete log; common variants are over a field modulo a prime or a field defined by an elliptic curve. | The Diffie-Hellman method is based on the [[discrete logarithm]] problem and is secure unless someone finds an efficient solution to that problem. It can use any of several variants of discrete log; common variants are over a field modulo a prime or a field defined by an elliptic curve. | ||
| Line 21: | Line 39: | ||
An eavesdropper will know p and g since these are made public, and can intercept A and B but, short of solving the discrete log problem, these do not let him or her discover the secret s. | An eavesdropper will know p and g since these are made public, and can intercept A and B but, short of solving the discrete log problem, these do not let him or her discover the secret s. | ||
The protocol can be subverted if either Alice or Bob uses a weak [[random number]] generator. The attacker can then make guesses at a or b; a correct guess breaks the system. If the random number generator is weak, the number of guesses required for this attack may not be prohibitive. However, with large p and a good | The protocol can be subverted if either Alice or Bob uses a weak [[random number]] generator. The attacker can then make guesses at a or b; a correct guess breaks the system. If the random number generator is weak, the number of guesses required for this attack may not be prohibitive. However, with large p and a good [[pseudorandom number generator]], it is wildly impractical. | ||
==References== | |||
{{reflist|2}} | |||
Revision as of 05:20, 15 October 2008
Template:TOC-right The Diffie-Hellman key agreement protocol (also just Diffie-Hellman or DH) allows two parties without any initial shared secret to create one in a manner immune to eavesdropping. Once they have done this, they can communicate privately by using that shared secret as a cryptographic key for a block cipher or a stream cipher, or as the basis for a further key exchange.
The protocol is secure against all passive attacks, but it is not at all resistant to active man-in-the-middle attacks. If a third party can impersonate Bob to Alice and vice versa, then no useful secret can be created. Authentication of the participants is a prerequisite for safe Diffie-Hellman key exchange. There are several ways to do the required authentication. For example, in Internet Key Exchange (IKE),Cite error: Closing </ref> missing for <ref> tag In Transport Layer Security (TLS),[1]it is done by exchange of X.509 Certificates.
The Diffie-Hellman method is based on the discrete logarithm problem and is secure unless someone finds an efficient solution to that problem. It can use any of several variants of discrete log; common variants are over a field modulo a prime or a field defined by an elliptic curve.
Given a prime p and generator g (see discrete logarithm), Alice:
* generates a random number a * calculates A = g^a modulo p * sends A to Bob
Meanwhile Bob:
* generates a random number b * calculates B = g^b modulo p * sends B to Alice
Now Alice and Bob can both calculate the shared secret s = g^(ab). Alice knows a and B, so she calculates s = B^a. Bob knows A and b so he calculates s = A^b.
An eavesdropper will know p and g since these are made public, and can intercept A and B but, short of solving the discrete log problem, these do not let him or her discover the secret s.
The protocol can be subverted if either Alice or Bob uses a weak random number generator. The attacker can then make guesses at a or b; a correct guess breaks the system. If the random number generator is weak, the number of guesses required for this attack may not be prohibitive. However, with large p and a good pseudorandom number generator, it is wildly impractical.
References
- ↑ T. Dierks, E. Rescorla (August 2008), The Transport Layer Security (TLS) Protocol Version 1.2., RFC5246