Key Exchange Methods

CPE 701 Research Case Study, Derek Eiler

Abstract In this paper we explore methods by which two parties may, over a public communication channel, exchange or agree upon a common cryptographic key to encrypt future communications without having previously agreed upon a shared secret via another channel. We discuss the challenges of exchanging or agreeing upon cryptographic keys over a public channel but focus on methods widely used to overcome these challenges. The key challenge these methods seek to overcome is the possibility or even inevitability that a third party may eavesdrop and overhear the unencrypted key exchange conversation. Such a third party may then attempt to decipher subsequent encrypted communications, or even impersonate one of the communicating parties in a so-called “man in the middle attack.” We will specifically address the Diffie-Hellman shared secret and RSA key pair generation algorithms.

Key Concepts

Encryption and Decryption, Plaintext and Ciphertext Encryption may be simply defined as the act of transforming raw data (plaintext) into obscured data (ciphertext). Decryption is the reverse process, namely transforming ciphertext into plaintext. Encryption and decryption are generally used to allow parties to communicate sensitive information with one another privately over a public channel, such as the internet.

Encryption and Decryption Keys An encryption or decryption key is the parameter in a cryptographic algorithm or function that allows plaintext to be transformed into useful ciphertext. Using a key in the encryption process may be likened to building the lock for a physical safe, and a key’s function in decryption is analogous to a physical key. If the wrong key is used, the recipient of a ciphertext will not be able to recover the original plaintext.

Alice, Bob, Eve, and Mallory Alice, Bob, Eve, and Mallory are commonly used names for the parties involved in cryptographic communications, much as “foo” and “bar” are common temporary variable names in computer programming. These names are generally understood in the cryptography and computer security communities, and will be used throughout the rest of this paper for clarity since it can be difficult to distinguish between hypothetical parties using words like “the latter”, “the former”, and so on. Alice is a party that wishes to privately communicate with another party, referred to as Bob. Eve is a third party that eavesdrops on Alice and Bob’s communications and attempts to discern what they are discussing. Mallory is a third party that maliciously attempts to interfere with Alice and Bob’s communications, often by impersonating one or both of them. Man in the Middle Attack A man in the middle attack occurs when a third party such as Eve or Mallory attempts to decrypt Alice and/or Bob’s ciphertext or possibly even impersonate Alice or Bob and relay or tamper with messages between them. While clever key exchange methods make it possible to circumvent a man in the middle attack at the beginning of an encrypted conversation, an attack may succeed later if Mallory learns the correct key by brute force or clever analysis of overheard ciphertext. For this reason, it is important to use a key with a low probability of being correctly guessed and to use a cryptographic function whose ciphertext does not betray its plaintext or key when analyzed by Eve or Mallory. A successful man in the middle attack renders Alice and Bob’s use of encryption useless.

Public Key Infrastructure (PKI) Public key infrastructure (PKI) is a system by which public keys are created, stored, distributed, and sometimes revoked, while also providing some level of assurance that a public key belongs to a particular entity. In PKI, a certificate authority (CA) facilitates verifying the authenticity of one or more parties in encrypted communications by digitally signing and publishing keys for anyone to see. Suppose Alice wishes to encrypt communications with Bob, and a CA that Alice trusts has published a public key belonging to Bob. If Alice encrypts a message intended for Bob using this public key, and the recipient replies using that public key’s corresponding private key, which is never published, then Alice can be reasonably certain that the other party is Bob. If the other party replies to Alice’s encrypted message using any other private key, Alice may be certain that the other party is not Bob, but Mallory.

Since public keys are published for anyone to use, even Mallory may use Alice’s public key to encrypt communications with another party; but this does not pose any security risk because anyone who receives Mallory’s ciphertext (besides Alice) will not be able to decipher it back to plaintext since only Alice possesses the corresponding private key. The public keys in PKI always have a corresponding private key that is, as the name implies, privately held by the party to which the public key belongs. An exception is when a key escrow service is used; in this case a trusted third party, usually the CA or a systems administrator, retains a copy of the public key’s corresponding private key “in escrow.” Key escrow may be useful when the party to whom the key pair belongs loses its private key due to a disaster, when nodes in a load balancing system must be able to cipher and decipher each other’s traffic to share a workload, or when legal or business reasons require permitting another party to access encrypted data.

Diffie-Hellman Key Exchange In Whitfield Diffie and Martin Hellman developed an important key agreement protocol that can be used over a public channel without a priori knowledge of a shared secret. This protocol is commonly referred to as the “Diffie-Hellman key exchange,” or simply “Diffie-Hellman,” and is widely used today. Diffie-Hellman can be found in many common applications including Secure Shell (SSH) for computer systems administration; Secure Sockets Layer (SSL) for e-commerce; and IPsec and Internet Key Exchange (IKE) for encrypted tunnels. Diffie-Hellman cleverly uses the computational difficulty of solving the so-called “discrete logarithm problem” to allow Alice and Bob to compute a shared secret, which may then be transformed into a key for use with a number of cryptographic algorithms 1, after publicly communicating a generator value, a prime number, and two calculations (one each for Alice and Bob).

Generating the Shared Secret Alice and Bob agree on a large prime number p, and a generator g. For g to be valid, it must be an integer less than p; and for every number n from 1 to ( ͤ − 1) inclusive, g must have a power k such that ͢ = ͛& mod ͤ. Alice and Bob then each choose a private random integer a and b, respectively. Alice uses a to generate a public value, a’ , by computing ͕ɑ = ͛ mod ͤ. Bob uses b to generate a public value, b’ , by computing ͖ɑ = ͛ mod ͤ. Alice and Bob share their public values, then compute the shared secret k: Alice computes ͟ = ͛ = (͖ɑ) mod ͤ and Bob computes ͟ = ͛ = (͕ɑ) mod ͤ. Because ͛ = ͛ , Alice and Bob have generated the same shared secret k. Note that since ͛ = (͖′) mod ͤ, ͛ = (͕′) mod ͤ, and Eve could only have overheard p, g, a’ , and b’ , Eve must solve one of these discrete logarithms for a or b if she is to calculate the shared secret.

Example To illustrate the process, we will now generate a shared secret with small values by way of example.

o Alice initiates the Diffie-Hellman key exchange and informs Bob that ͤ = 7 and ͛ = 2. o Alice privately chooses ͕ = 3 and Bob privately chooses ͖ = 5. o Alice sends Bob ͕ɑ = ͛ mod ͤ = 2ͧ mod 7 = 1, and Bob sends Alice ͖ɑ = ͛ mod ͤ = 2ͩ mod 7 = 4. o Alice now computes the shared secret ͟ = (͖′) mod ͤ = (4)ͧ mod 7 = 1 and Bob computes ͟ = (͕′) mod ͤ = (1)ͧ mod 7 = 1.

Susceptibility to Attack Due to the difficulty of computing a discrete logarithm, Eve will not be able to use the overheard public values alone to derive the shared secret and decipher Alice and Bob’s future communications. Nevertheless, it is possible for Mallory to intercept Alice’s communications with Bob, then reply to Alice on Bob’s behalf, generating a shared secret between Alice and Mallory; and likewise intercept Bob’s communications with Alice, then reply on Alice’s behalf, generating a different shared secret between Bob and Mallory. Mallory could then decipher Alice’s communications destined for Bob, then re-cipher the resulting plaintext (having possibly modified it first) and send this new ciphertext to Bob. In this case, both Alice and Bob will believe they are communicating with one another when in fact they are communicating with Mallory. Such a man in the middle attack can be circumvented by digitally signing communications between Alice and Bob, for example with the use of certificates that Alice and Bob previously published through a PKI.

1 “Diffie-Hellman Key Agreement Method”, RFC 2631, describes a method to turn the shared secret into an actual encryption key of arbitrary length for use with an encryption algorithm. RSA Key Generation Ron Rivest, Adi Shamir, and Leonard Adleman developed another widely used key generation method known as the RSA algorithm. RSA is similar to similar to Diffie-Hellman in that it relies on clever mathematics. Whereas Diffie-Hellman leverages the computational difficulty of solving the discrete logarithm problem, RSA relies on the difficulty of factoring very large prime numbers.2 RSA is commonly used to generate public-private key pairs well in advance of encrypting communications, and the public key is subsequently published for anyone to use, rather than just a single party as in Diffie-Hellman 3. Since it is extremely time consuming to factor the product of the very large prime numbers used in RSA, even knowing one of the primes in advance, it is safe to publish the public key. The RSA algorithm and RSA’s Laboratories’ various Public-Key Cryptography Standards (PKCS) specifications provide the basis for everyday encryption systems like Secure Sockets Layer (SSL) and S/MIME.

Generating an RSA Key Pair An RSA key pair is defined as a public key and its corresponding private key. The public key may be published and consists of a “modulus” n and “public exponent” e, while the private key should not be published and consists of the same modulus n along with a “private exponent” d. To choose the exponents e and d, first calculate a product n as ͢ = ͤͥ , where p and q are large prime numbers. Choose a value for e such that e < n and e is relatively prime 4 to (ͤ − 1)(ͥ − 1); another way of stating this is that the greatest common denominator (GCD 5) of e and ʚͤ − 1ʛʚͥ − 1ʛ must be 1. Now choose a value for d such that (͙͘ − 1) is divisible by (ͤ − 1)(ͥ − 1). The key pair has now been generated, and may be used as described in our discussion of PKI earlier.

Example

We now illustrate the process of generating an RSA key pair: ͟+0 = (͢, ͙) and ͟+-$1 = (͢, ͘) using small values for simplicity.

o We choose our prime numbers ͤ = 5 and ͥ = 7 and compute the product ͢ = ͤͥ = 35 . o We calculate ʚͤ − 1ʛʚͥ − 1ʛ = 4∗6 = 24 . o We find e by looping from ͙ = 2, ͙ = 3, …, ͙ = 24 and testing whether ́̽̾ ʚ24, ͙ʛ = 1, stopping once this condition is met. We eventually determine that ͙ = 5, giving us the public

key: ͟+0 = (35,5). ( ͯͥ) o We find d by looping from ͘ = 1, ͘ = 2, ͘ = 3, … until gives an integer result. We (+ͯͥ)(,ͯͥ)

eventually determine that ͘ = 5, giving us the private key: ͟+-$1 = (35,5).

Note that in this example the public key and private key were the same, but this is uncommon.

2 “Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1”, RFC 3447, provides very detailed recommendations for implementing the RSA algorithm. 3 It is possible for more than two parties to participate in a Diffie-Hellman key exchange, but each party must participate in the key generation and exchange process. In this regard, I believe RSA is better suited for use in PKI due to the scalability of publishing a single key that anyone may use to encrypt their communications to a particular party, instead of generating a new key for every party at the beginning of each new conversation. 4 Two numbers are “relatively prime” or “coprime” if their only common factor is 1. 5 Two algorithms commonly used to calculate the GCD are the Euclidean algorithm and Stein’s algorithm. Susceptibility to Attack The RSA algorithm’s weakness and strength depend on the choice of prime numbers used during key pair generation. The use of small prime numbers, or the re-use of the same pair of prime numbers for multiple key pairs, makes it easier for Mallory to compute the private exponent d. Since the product of small prime numbers p and q can be factored quickly through brute force but the product of large prime numbers is not so easily factored, it is important to choose very large prime numbers 6. Choosing values of p and q that are very large will of course cause the calculation of their product n to take longer, but not on the same order of magnitude it would take to factor n. Since p and q are primes, n is considered a semiprime, and the ease of computing a semiprime in contrast to the difficulty of deriving a semiprime’s factors is the underlying ingenuity of RSA. Factoring is considered a hard problem like solving discrete logarithms, and as time has progressed RSA has endured; as certain semiprimes of various digit lengths have been factored 7, users of RSA have simply generated new key pairs using larger prime numbers and published the new key pairs’ public keys. Factoring these large semiprimes has taken enormous amounts of computational power and time, and has not yet yielded an efficient algorithm to solve arbitrary large primes or even similarly sized primes.

It should be obvious that the compromise of the Alice’s private key in an RSA key pair would allow Mallory to succeed in a man in the middle attack between Alice and another party, or allow Mallory to simply impersonate Alice, and for this reason it is of paramount importance to protect one’s private key, regardless of the size of prime numbers chosen. When a key escrow system is used, as is often the case when a PKI is implemented in a large organization to allow users to digitally sign emails, encrypt sensitive company documents, or remotely authenticate to access internal resources via a virtual private network (VPN), an entire organization’s private keys can be compromised in a single attack, also making the selection of large prime numbers useless.

References RSA Laboratories. “3.6.1 What is Diffie-Hellman?” http://www.rsa.com/rsalabs/node.asp?id=2248 . Retrieved April 2012.

David A. Carts. A Review of the Diffie-Hellman Algorithm and its Use in Secure Internet Protocols. SANS Institute Reading Room. November 5, 2001.

E. Rescorla. “Diffie-Hellman Key Agreement Method”, RFC 2631. http://www.ietf.org/rfc/rfc2631.txt . June 1999.

J. Jonsson, B. Kaliski. “Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1”, RFC 3447. http://www.ietf.org/rfc/rfc3447.txt . February 2003.

6 One can also decipher a message encrypted using an RSA key without knowing the private key by computing th ͡ mod ͢, where m is the ciphertext message, but that requires knowing how to compute the e root mod n. 7 Several semiprimes up to 768 digits long have been solved as part of RSA Laboratories’ “RSA Factoring Challenge”; details are available at http://www.rsa.com/rsalabs/node.asp?id=2092 . R. Housley, et al. “Internet X.509 Public Key Infrastructure Certificate and CRL Profile”, RFC 2459. http://www.ietf.org/rfc/rfc2459.txt . January 1999.

RSA Laboratories. “3.1.1 What is the RSA Cryptosystem?” http://www.rsa.com/rsalabs/node.asp?id=2214 . Retrieved April 2012.

R. Rivest, A. Shamir and L. Adleman. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Communications of the ACM, 21 (2), pp. 120-126. February 1978.

RSA Laboratories. “3.1.3 What would it take to break the RSA cryptosystem?” http://www.rsa.com/rsalabs/node.asp?id=2216 . Retrieved April 2012.