Diffie-Hellman: Difference between revisions

From Citizendium
Jump to navigation Jump to search
imported>Sandy Harris
No edit summary
imported>Caesar Schinas
m (Robot: Changing template: TOC-right)
Line 1: Line 1:
{{subpages}}
{{subpages}}
{{TOC-right}}
{{TOC|right}}
The '''Diffie-Hellman key agreement protocol''' (also called Diffie-Hellman key exchange, or just Diffie-Hellman, D-H or DH) <ref name=RFC2631>{{citation
The '''Diffie-Hellman key agreement protocol''' (also called Diffie-Hellman key exchange, or just Diffie-Hellman, D-H or DH) <ref name=RFC2631>{{citation
  | id=RFC2631
  | id=RFC2631

Revision as of 06:09, 31 May 2009

This article is developing and not approved.
Main Article
Discussion
Related Articles  [?]
Bibliography  [?]
External Links  [?]
Citable Version  [?]
 
This editable Main Article is under development and subject to a disclaimer.

The Diffie-Hellman key agreement protocol (also called Diffie-Hellman key exchange, or just Diffie-Hellman, D-H or DH) [1] allows two parties without any initial shared secret to create one in a manner immune to eavesdropping. Once they have done this, they can communicate privately by using that shared secret as a cryptographic key for a block cipher or a stream cipher, or as the basis for a further key exchange.

The protocol is secure against all passive attacks, but it is not at all resistant to active man-in-the-middle attacks. Conventionally, the two communicating parties are A and B or Alice and Bob. If a third party can impersonate Bob to Alice and vice versa, then no useful secret can be created. Authentication of the participants is a prerequisite for safe Diffie-Hellman key exchange. There are several ways to do the required authentication. For example, in Internet Key Exchange (IKE),[2] authentication can be done with a shared secret or with any of several public key techniques. In Transport Layer Security (TLS),[3]it is done by exchange of X.509 Certificates.

The Diffie-Hellman method is based on the discrete logarithm problem and is secure unless someone finds an efficient solution to that problem. It can use any of several variants of discrete log; common variants are over a field modulo a large prime (1536 bits for one heavily used group in IPsec) or a field defined by an elliptic curve.

Given a prime p and generator g (see discrete logarithm), Alice:

   * generates a random number a
   * calculates A = g^a modulo p
   * sends A to Bob

Meanwhile Bob:

   * generates a random number b
   * calculates B = g^b modulo p
   * sends B to Alice

Now Alice and Bob can both calculate the shared secret s = g^(ab). Alice knows a and B, so she calculates s = B^a. Bob knows A and b so he calculates s = A^b.

An eavesdropper will know p and g since these are made public, and can intercept A and B but, short of solving the discrete log problem, these do not let him or her discover the secret s.

The protocol can be subverted if either Alice or Bob uses a weak random number generator. The attacker can then make guesses at a or b; a correct guess breaks the system. If the random number generator is sufficiently weak, or if it is badly seeded as in an early version of Netscape SSL, then the number of guesses required for this attack may not be prohibitive. However with large p and a good generator, this attack is wildly impractical.

References

  1. Rescorla, E. (June 1999), Diffie-Hellman Key Agreement Method, RFC2631
  2. C. Kaufman,, ed. (December 2005), Internet Key Exchange (IKEv2) Protocol, RFC4306
  3. T. Dierks, E. Rescorla (August 2008), The Transport Layer Security (TLS) Protocol Version 1.2., RFC5246