 Recall that the Diffie-Hellman key exchange is a public key cryptographic algorithm There are some public values, so we can think of also there's a public and private key for example in the calculations we the algorithm specifies we select a private X and We calculate our public Y The values X and Y and we exchange the Y with each other so X is our part of our private key Y is public part of our public key in this case and if we exchange the values of Y with the other person then we do a final calculation each side does it calculate K where the Calculations should be that both sides end up with the same value K So let's first just show quickly that that does happen prove Why that will always get the same K at both sides? And then we'll look at what can the attacker do and where the strength of Diffie-Hellman key exchange comes in Our example that we introduced last Lecture was we chose for simple calculations a value of Q the prime of 353 alpha of three and Alpha needs to be a primitive root of the the prime Q user a Chooses a private value X a to be 97 so it needs to be less than Q So in practice that will be chosen randomly say by software Then user a calculates its public Y value Alpha to the power of X a mod Q and they got 40 And then they tell user B their public Y value and the what we call the global public parameters Q and Alpha So Q and Alpha can either be exchanged in this message or maybe they were exchanged in the past So they both know Q and Alpha and So does the rest of the world the public values anyone can intercept this message and learn those three values user B selects its own private value 233 and Calculates its public value Y again alpha the same alpha to the power of its X B mod Q and they got 248 and Tells user a its public Y value So both sides know Alpha Q. They know their own private X and They know both values of Y their own Public Y and the public Y from the other user And they use the same equation to then calculate K Which is the the other public Y to raise the power of their private X mod Q And we got 160 and the other user that does the same approach, but using a's public Y Also got 160 Why do they both get 160? Let's look at the the proof of that. It's not so hard to show that they'll turn out the same It's right down the The steps that are used for example Y a is Alpha to the power of X a Mod Q what else do we have? Y B is Alpha to the power of X B Mod Q These are the equations used in the algorithm and they are known and K a equals Y B The power of X a Mod Q and similar K B equals Y a The power of X B Mod Q So let's look at why those two values of K K a and K B will always turn out to be the same Let's do a substitution so K a equals Y B to the power of X a mod Q We know an equation for Y B Y B is alpha to the X B Mod Q That's Y B all to the power of X a So just substitute for Y B and our properties of modular arithmetic that Remember in the simple case 10 mod 8 Equals what 10 mod 8? 10 mod 8 equals 2 2 mod 8 2 2 mod 8 again If you keep modding by 8, you'll still get the same answer and that concept can be applied that if you have two mods something mod 8 and then mod 8 again Learning fact you can just replace that with one mod you get the same answer and similar can be applied to see that where we have Exponentiation, which is just multiplication multiple times, which is just addition multiple times We when we have a mod Q inside the brackets here and a mod Q outside We can actually cancel out this mod Q inside it because we'll eventually mod by Q there So if we mod by Q twice we can write it the same as being mod by Q just once at the end so it becomes alpha to the X B all to the power of X a Mod Q and our simple rules of Exponentials alpha to the X B all to the power of X a equals alpha The power of X B times X a Mod Q So K a equals alpha to the power of X B times X a mod Q and Let's look at KB from the same perspective, but we'll substitute and we'll squeeze it in Y a is replaced with alpha to the X a Mod Q all to the power of Sorry, it's X B mod Q That is just substitute for Y a and the same rules apply. That is the mod Q can be cancelled out after the X a all to the power of X B mod Q and that becomes alpha to the X a times X B Mod Q So they are the same alpha to the X B times X a is the same as alpha to the X a times X B That's the proof that the two keys that will get on either side will be identical any questions If we we can reverse X a and X B. It's the same when we multiply Then let's look at what the attacker can do Look at our come back to our example and see well Given what the attacker knows. How can they find the secret? It's all about keeping K secret So what does the attacker know? They know the algorithm. They know all those equations. What do they know in this case? Q alpha Y a Y B. So we know them. We don't know X a or X B. They're kept private So given what we know, let's see the steps the attacker needs to take to find the secret for example, we start with Let's say we want to find K a which is the same as finding K B which is Y B to the X a mod Q and In our example the attacker knows that K a Y B. They know 248 X a they don't know and Q they do know so here we have an equation with Four variables two of them are known two are unknown. So there's no way to solve that We need to do something else. What can we do? As the attacker now We can't find K a because we don't know what X a is. So that suggests we look at well try and find X a We know an equation that relates. We know a second equation which says that equals alpha to the power of X a mod Q That's the other part of the algorithm and we know why a is 353 We know alpha three We know X a We don't know X a but we know Q is What mistake have I made is anyone awake? I hope you didn't copy that 248 alpha is three X a is unknown mod 353 Now that's better for the attacker. We have an equation with four variables Three are known one is unknown. So we should be able to solve that What's the step to solve that? We've got an exponential mod something. What's the opposite a? Logarithm or a discrete log we call it when we have a modular Exponentiation the inverse is the discrete log and we write it as what the index X a Equals the discrete log d log all right in base three mod 353 Of 248 So if we can solve the discrete logarithm here, we'll find x a and if we find x a Then we can easily find k a because we just plug it into this equation Exponentiation is easy if we know x a it's 248 to the power of x a mod 353 and we'd find k a What's the problem from the for the attackers perspective in general? what's What would make Diffie-Hellman secure if if we have large numbers These are not large numbers if we have large numbers in terms of hundreds of bits as a binary number then Solving the discrete logarithm. We've already said is Practically impossible to do just the discrete logarithm of a number is One of those problems, which is considered computationally hard That is if the largest if the numbers are large enough then you cannot find the answer within reasonable time Within any practical time so discrete logarithms the same as factoring a large number into its primes and The same as finding the the totion of a number those problems are considered Too hard to solve So therefore Although with these small numbers we could find the answer x a It'd be easy. You could do it with your lookup table if these are large numbers Then the attacker will not be able to find x a and since they cannot find x a They cannot calculate k a So the strength of Diffie-Hellman depends upon the fact that solving discrete logarithms is computationally hard if you try it from the perspective of B kb yb and so on. It's the same problem that arise So since we can't solve the discrete log in general if we have large numbers Then we could try and guess x a brute force and Again to prevent that to be successful. We just have to make sure x a is large enough a random large random number so if we have large enough numbers solving the discrete log is not possible and Finding x a is therefore not possible. Therefore finding the key is not possible Any other approaches? Anything else you can do this maybe use these equations again Right, okay So the algorithm is considered secure because of the dependence on the discrete logarithm But again always under the condition where we have large numbers Your next homework task, which is almost ready to be released today Maybe on the weekend will involve you cut using some software to calculate the Diffie-Hellman parameters very easy just use some software will do it for you and you'll see that the length of those values are in the order of The The public and private values x and y are in the order of a thousand bits so a thousand and twenty four bits So by large numbers say a thousand bits long and that's it Diffie-Hellman is considered secure in the algorithm Because it relies on the discrete log problem problem any questions on Diffie-Hellman Someone said the way to beat Diffie-Hellman is to use the man in the middle attack So we've gone through an example it is The algorithm is secure, but if you use it in the way that we just used it It's possible for an attacker to do what we call a man in the middle attack Let's see how that works not a meat in the middle. Remember we did double desks and We did the attack of meat in the middle a man in the middle is different And it's applied for different Attacks on different schemes. We can see it in play against the Diffie-Hellman key exchange. Let's go back to what we did as our exchange here So a sent this message to be Q alpha and y What a man in the middle attack will do is that Our malicious user let's say see who's in between a and B So they can intercept this message before it gets to be and modified So men in the middle is imagine that someone here receives this message before it gets to be and They make a change to that message and then forward or on to be and Then B replies thinking they got the message from a B replies and the man in the middle does another change and Gets the message eventually gets forwarded back to a the Purpose of the attack is that that man in the middle Will know the secret and Amb you think they have a shared secret that no one knows if they can do that then the attack is successful Try it Spend five minutes trying if you can perform a man in the middle attack So what you do is maybe go through the same steps. You can use different numbers if you like but the same ones But before this message gets to be Another user let's say see gets the message and Changes YA To a value that they want Forwards the message on to be B thinks it comes from a Okay, let's say the packet source address says it's from a so B thinks they get YA but in fact they get Y of the man in the middle and And B does its calculation sends back and the man in the middle changes YB to something else See if you can do that such that The man in the middle will know the secret and Amb think that they have a shared secret, which is the same I'll give you five minutes to perform the attack So user a chose its value of X a Q and alpha are fixed and we know why a so we send the public values to be but alpha equals 3 Q equals 19 Y a Equal 16 But before they get to be this think of this message that was sent somehow the malicious user intercepts it on the network and they can make changes to those values that are not encrypted or anything so they can change them and Then forward on to be such that when B receives the message it thinks it came from a The source address is fake to pretend to be from a So what would the malicious user do? change YA Change it to what? Not any number What value or how would they choose a value of Y that they change it to? They choose their own X first Okay, that is the malicious user does really what a did the malicious user will choose their own X value and calculate a new Y So they know Q and alpha That's that's fixed. So they choose let's say an X anyone choose a value to And they get what is it nine nine? Okay, they record those values now. What's next? Send the same values of alpha and Q don't change them well, there's no need to at this stage and Modify YA to be what? nine right We call it YA. It's not in fact YA is Y of the malicious user Okay, but from B's perspective when they receive the message they think this is YA So that's modified then see what B does Try what the steps B would take and then what they send back and see that what the malicious user does then Try and complete the steps B when it receives the YA it calculates after selecting its XB it calculates its YB and sends back to A So let's do that B Let's say they choose XB their private value a number 11 Calculate YB what do they get? 10 So that's three to the power of 11 mod 19 You look it up you get 10 and now we'll send back YB and We should do also calculate K KB How do we calculate KB? YA to the power of XB Mod Q Gives us that's a 19 gives us what? 5 Okay, so that's the K from B's perspective What does the malicious user do? It needs to do a couple of steps here It can calculate K All right, let's call it. Let's to be More specific here. Let's call this X malicious B And B the other ones with using with B So we receive YB and we calculate Let's say K The B has how We take YB The B received from the other person Raise it to the power of our private X X mal B. There's two that we chose mod 19 what do we get? sure Look it up five It should be five. I just want to make sure that I've done it correct So here the malicious user knows KB is five B thinks the shared secret is five So we're halfway there from the attacks perspective what we want to do is Allow A and B to send and receive the messages as they expect That is A sends those three values B receives three values B sends back Y. A will eventually receive Y. They'll do their own calculation of K And let's see what happens at the end The malicious user now What's going to send back? What's it going to send back? YB, that's what A is expecting But they actually select their own value of X Let's say seven and if we use seven what will Y be? Seven Alpha so three to the power of seven mod 19 is Two so what do we send here? We send two and in addition the malicious user can calculate K a Alpha sorry not alpha Y received from a 16 Raised to the power of our private value seven mod 19. What do we get? You're my calculator 17 let's hopefully this works What does a do they receive YB? I think I got a message from B. We calculate K a We take our the received YB to Raise it to the power of our X value that we started with ten to to the power of ten mod 19 What's the answer? 17 what the end result is A and B don't know the malicious user did anything because from their perspective a sent those three values and Then it received a Y value back. It doesn't know they were modified and And similar be received these three values. Okay. I receive Y from a I Calculate my KB and send back my Y value It doesn't know anything was modified But the malicious user the man in the middle actually did these modifications and use their own values So the result from a and B's perspective they think They have exchanged with each other the values and they think the key that they have is the same that the other size side has We know it's not So k a a thinks that the secret value is 17 B thinks the secret value is five The malicious user knows both of those values It knows kb is five the one that B thinks is the secret value and k a is 17 What happens next? Let's say now we encrypt using des or a s using this secret key a sends an encrypted message to be a Encrypts with the key 17 it thinks B has the key 17 It sends the malicious user intercepts again The malicious user can decrypt because they also have the key 17 They get the plain text. They encrypt it again using key B five Forwarder on to be be decrypts. It successfully decrypts because B thinks that the key is also five A and B send a message to each other encrypted, but in fact the malicious user has Intercepted and decrypted the message in the middle just to illustrate that final step. So that's the key exchange But how is it useful? Let's say we now encrypt a message With some symmetric key cypher for example we encrypt using key 17 some message and Send that cypher text So this is the key that was used to encrypt the malicious user Can decrypt? So that let's be precise. That's the cypher text C So they can decrypt because they also have the value 17 and Now they learn the message M So they now know the encrypted message and what they do is they encrypt M and forwarder on to be C prime I'll call it because it's different from the original C encrypt Use the same message Using what? the key five B receives It's got a message from a It thinks it shared a secret key with a which is the value five so it decrypts Using the key that it shared with a and it gets the original message. It's successfully decrypts so everything works as expected from bees perspective and They get the message But what has happened is that malicious user also knows the message. So this is the man in the middle attack where A and B think they're communicating securely They think they have a shared secret key But in fact they have a key shared with a man in the middle and now the man in the middle can Intercept anything that they send to each other decrypt it and see the message They could also modify the message if they they wanted to So this is a common form of attack not just on Diffie Hillman, but on other Especially public key ciphers. We'll see it applies on RSA if it's used in some scenarios any questions on the man in the middle attack or it could be a woman in the middle it's Whoever's doing the attack of course this involves that this requires the malicious user to be able to intercept and modify messages Which in a network normally we assume they can do How do we stop it? What service do we need to stop this? What went wrong one of the first steps was that? B received a message This first message here Thinking it's from a when it's in fact been modified the malicious user has modified it So it's actually come from someone else, but B thinks that they receive this message from a So what we need is the service of authentication and data integrity we need to be able to Prove that when we receive a message who it came from So what we'd need is when B receives this message it should be able to detect This is not from a it's from someone else therefore don't trust it and That's in general authentication So we need to be able to authenticate the messages we receive Not just trust anything we receive And that's our next topic To close on public key cryptography We may see another example of man in the middle on a another cypher In another topic The countermeasure is to use authentication and we'll see in the upcoming topics the main form is digital Signatures or combination with public key certificates, so we'll introduce them We've already said that there are other public key crypto systems We've gone through RSA and Diffie Hellman, but there are others And that finishes this topic