 The Diffie-Hellman key exchange is used for exchanging just a secret. So the aim is A and B have one value, which is the same, the secret, and no one else knows that value. So this is useful if we want to do symmetric key encryption. The problem with symmetric key encryption is that how do I get the key from A to B? Well, what we can do is use the Diffie-Hellman key exchange to exchange a secret key, and then to encrypt our data use that secret key as the key for, say, AES, a symmetric key algorithm. So we exchange secrets with Diffie-Hellman and then use that secret to encrypt our data. So we've gone through two examples. So just as a reminder, the process is that there are two global variables. That is, two values we assume A and B know, others may know. How do they know them? They either agree upon them upfront or user A chooses them and sends them in a message to B. Remember, everything that's sent across the network, we assume the attacker can see. So unless we encrypt it, we assume the attacker knows the values which are sent from A to B. In this example, or on this slide, it assumes that A and B know the two global variables which are alpha and Q. So the values chosen, anyone can know them. X chooses a random value or generates a random value. Sorry, A generates a random value called X. That's what we say, the private value of A. There are some conditions, less than Q. Then they calculate their public value Y. So A will have two values, their private X and their public Y. We can think their private key and their public key. They send Y to B. B does effectively the same. They generate a random X, their private X, keep it to themselves. Calculate their public Y and sends their public Y back to A. And from their private value X and the other user's public value Y, each user generates or calculates a value K. And the equations for doing that are given here. And it can be proved that the K calculated by user A will be identical to the K calculated by user B. Such that A and B get the same K value. That is, they get the same secret. And because of the difficulty of solving discrete logarithms, an attacker, even if the attacker knows alpha, Q, YA and YB, they cannot find XA or XB and therefore they cannot find K. So K is the secret that we exchange. A and B have it. The attacker does not have a way for finding the secret K. Now that assumes that we're using large values. We need to make Q very large. So X, the private value, can be very large. And if that's the case, then because of the difficulty in solving discrete logarithms, Diffie-Hellman Key Exchange is considered secure. But we'll see there's an exception. We'll see that there is a possible attack which we'll go through. The example we finished with was using some small numbers. So we can calculate. We had Q of 19, alpha of 10. User A chose private X of 7. Calculator YA of 15 sent Q, alpha and YA to B. They are public values. The attacker also knows them. B selected X randomly to be 8. YB is 17. Sends YB back. They both calculate independently their K values. User A calculates KA, user B, KB, and they get the same value. And you can show quite easily why they'll always get the same value. Then that value, K, we say, of 5, the concept is that that value now can be used to encrypt using, say, AES or some symmetric algorithm. So let's say to continue this one, the idea is that now we have data to be sent. When A has some data to be sent to B, then they'll calculate the ciphertext using some encryption algorithm. The idea is, let's say, AES. And of their message, or plain text, P1, and what key will they use? KA, or KA here. I'll denote as KA because KA and KB are the same. They encrypt their plain text using that key and when they send the ciphertext to B, B can decrypt because B also knows the key. Now, of course, we've got small values of the key, so that's the limitation of the small numbers. That's the idea. So let's look at what an attacker can try to do to try and defeat this scheme. And we'll go through a second example, but slightly different. And what the attacker will do, we assume the attacker can intercept messages, so the attacker can overhear what's sent between A and B and back, but they can also modify messages and when they intercept, they can forward on a different message. So imagine there's a link or a network between A and B and the attacker somewhere in the middle when a message is sent from A to B, the attacker gets it and they can make changes as they wish and then forward something on to B. So let's see what the attacker can do to try and defeat this scheme. And what the attacker wants to do is to make A and B think they have a shared secret, K, such that then they encrypt their data, P1, the plaintext, with that secret, and thinking that only B can decrypt that, but the attacker can also decrypt it. That's the aim of the attacker. Also to be able to decrypt these messages sent using the secret key. Let's see how it works. So we use similar values, but slightly different for this example because I have the solutions. We have again user A and user B and let's say the public values are already known. Q is 19, alpha is 3. So that's known by A, it's known by B and also the attacker. So A goes through its steps of generating or selecting random X and calculating public Y. So let's say XA is chosen, it must be less than 19. Let's say we choose 10. This is private, known only by A. And we calculate YA, alpha to the power of XA, mod Q. And our Q is 19. And I've calculated before you can check, 3 to the power of 10 mod 19 is 16. A calculates its public Y and it sends that to B. So A and B are going to follow the protocol. Choose random X, calculate Y, exchange. But what's different in this case is that we have a malicious user in the middle between A and B which is going to intercept and possibly modify some messages. So A sends the message to B. Inside the message is YA, the value of 16. And in fact we could also include Q and alpha inside the message. But let's assume that they are known in advance anyway so we don't need to include them in the message just to keep it short, the message. Now it's sent to B but before it gets to B the malicious user intercepts. The malicious user intercepts the message and what the malicious user does is chooses its own private value X and calculates its own public value Y. So before that message gets to B what the malicious user does is calculates or chooses an X randomly, X of the malicious user and we'll denote it as XB because we're going to have another value later and I choose a random number less than 19 and I get 2 and calculate Y. And what do we have? We have 3 to the power of 2 mod 19 which is 9. 3 squared is 9 mod 19, we end up with 9 as Y. So the malicious user intercepts this YA, records the value and now generates their own private value X and calculates their public value Y and sends a message on to B. B doesn't know the malicious user did this. They send on the value but they change YA not to be 16 but to the value that they calculated, 9. We're using the same alpha and Q in all cases. So what the malicious user has done in this step is calculated their own values of X and Y and send that calculator Y, the public value, on to B trying to pretend to make B think you've just received a message from A and it says YA equals 9. B receives this message, what do they know? Do they know what the malicious user did? No, they've just received a message, it's got the Y value so they think it's from A and they go through the normal steps, choose their private X, calculate YB. So B thinks user A sent me 9. So let's go through the steps of what B does. Choose XB to be random, it's private. Known only to be, let's say we choose 11. Calculate the public YB. What have we got? 3 to the power of 11 mod 19. Use your calculator and you get 10. We're going to send that value back. Sorry, if you can't see, that's a 19. 3 to the power of 11 mod 19. The answer is 10. This is the normal step that B does and sends that value back. They send back YB equals 10 and after sending back their public value they calculate their secret value, KB. What's the value? We take the other user's public value Y and raise it to the power of our private value X mod by Q. The other user's public value is what? 9. User B received YA equals 9. They have XB is 11, so they take 9, raise it to the power of 11 mod by 19. Calculator, 9 to the power of 11 mod 19 is 5. So B is finished from its perspective. It received a Y value from user A of 9, chose X, calculated YB, sends it back to A and calculates the shared secret KB equals 5. But YB equals 10 doesn't get back to A. Our malicious user intercepts that message and makes some changes. Let's see what they do. The malicious user gets YB of 10, several steps. First, they calculate KB. From a malicious user's perspective, they have X exchanged with B of 2, or the private X of 2, Y that they sent to B of 9 and the Y that they received from B of 10. How do we calculate the key K? We take the received Y, raise it to the power of our private X. Which Y value was received by the malicious user? We received Y of 10. We raise it to the power of 2. Y2, because that was the private value that the malicious user chose for the exchange with user B. X of the malicious user to exchange with B was 2 and they calculated the Y value of 9, which they sent to B pretending to be A. So we take 10, the received value, raise it to the power of 2. Again, mod 19. 100 mod 19 is 5. That is, user B calculates a secret KB of 5, thinking this is the secret that is going to be exchanged with user A. But in fact it was the secret exchange with the malicious user. The exchange between the malicious user and B is the normal Diffie-Hellman. The malicious user chooses a private X, calculates a public Y, sends that public Y to B, B chooses a private X, calculates a public Y, sends that back to the malicious user, they both calculate the key and it will be the same because we've just done the Diffie-Hellman key exchange between the malicious user and user B. But B doesn't know that. B doesn't know that this exchange was with the malicious user. They think it's with A. Let's continue. The malicious user is going to do a Diffie-Hellman secret key exchange also with user A. It received Y A of 16 from A. It will now select its own private value. So we select an X value which we're going to use with user A. Randomly, less than 19, let's say 7 and calculate Y for the malicious user to be exchanged with user A. We get 3 to the power of 7 mod 19. The Y value take alpha, 3, raise it to the power of X, 7 mod 19. 3 to the power of 7 mod 19 is 2 and while we're here, we'll calculate K A. Just to make it clear, to calculate the secret key, we take the received Y, raise it to the power of our X mod by Q. Received Y, we receive 16. Our X chosen was 7 mod by 19. 6 to the power of 7 mod 19. 16 to the power of 7 mod 19. 17. What our malicious user is doing is acting as user B, pretending to be user B when it's communicating with A and pretending to be user A when it's communicating with B. It's acting as this person in the middle between A and B to do the attack. We refer to it as a man in the middle attack and so far the malicious user has exchanged values with B such that they get the same secret key K. KB is 5 and now the malicious user will send back Y for the malicious user to exchange with A of 2. Send that back to A. Pretending that this is YB but it's actually the Y value that was calculated by the malicious user. What does user A do? They calculate the key. The received Y of 2 raised to the power of their X. Their X was 10 mod 19. 2 to the power of 10 mod 19. Anyone want to guess? 17. The end result. User A thinks it's done a secret key exchange with user B. User B thinks it's done a secret key exchange with user A but in fact they're both done it with the man in the middle the malicious user. So if we look at the secret keys that have been derived K A known by A is 17 but the malicious user also knows K A is 17. K B known by user B is 5 the malicious user also knows K B of 5. Now note that the key known by A and B are different values. In a true Diffie-Hellman secret key exchange they must be the same value but under this attack A and B end up with different values but they are the same values which the malicious user knows. How does the malicious user use this in an attack? Let's say A has data to encrypt and send to B. We want to encrypt now using symmetric key encryption no longer using Diffie-Hellman but encrypt using this secret key that we've just obtained. A is going to use 17 B is going to decrypt with 5. The idea is that A will encrypt with its secret key B will decrypt with its secret key. Let's see how it works. A has some message. Let's say using AES this is the ciphertext that they are going to obtain. The message, the plaintext P1 what key do they use? The secret key that they've just exchanged the value will be 17. They send that to B. Whatever the value is the concept is we encrypt with this secret value with say AES or some other symmetric key cipher we'll get some ciphertext C1 we'll send that to B but again the malicious user the man in the middle intercepts can the malicious user decrypt this ciphertext? The ciphertext was encrypted using key Ka equals 17 if the malicious user has that key then they can decrypt. Yes they do have the key they know Ka is 17 malicious user decrypts they learn P1 by decrypting the ciphertext so here's the first problem the plaintext P1 is supposed to be sent securely or confidentially to B we encrypt it using the key 17 send it to B the malicious user intercepts they can decrypt because they also know the key that A is using so they learn the plaintext but this attack is even more than that what the malicious user does now is encrypts that plaintext with what? to continue the attack the attacker is going to encrypt the plaintext with what value? the key which is the key that's been exchanged with B which is 5 Ka 17 was exchanged with a malicious user another key KB of 5 was exchanged between the malicious user and B so the malicious user now encrypts that plaintext with the key exchanged with B I'll denote the result as C2 it will be different because we've got a different key to encrypt send that on to B decrypt when we receive a message I am user B I think it's came from A the key I exchanged with A is 5 so decrypt with key 5 if P1 was encrypted with key 5 to get C2 and C2 is decrypted with the same key then we'll get the original plaintext back the plaintext will make sense it was the original plaintext that A sent but what's happened A sent a message to B P1 was encrypted it's eventually received by B A and B think they're communicating securely they've exchanged the message it was encrypted it's successfully decrypted from their perspective everything is okay but what's happening in the middle is that the malicious user has decrypted the ciphertext and also learned that plaintext the result is as A and B communicate they think everything is okay encrypting their data getting decrypted successfully but the malicious user is also intercepting everything in the middle so they also learn all the plaintext they could potentially modify the plaintext as well if they wanted to we no longer have confidential communications this is called in general a man in the middle attack it doesn't just apply to Diffie Hellman it applies to other ciphers public key ciphers especially and the man in the middle being able to learn the plaintext while the two users thinking that they're communicating securely questions on the man in the middle attack on Diffie Hellman key exchange it may seem complex at the start but if you know the Diffie Hellman key exchange what you recognize if we scroll back up what actually happened is we did two key exchanges between A and the malicious user we do a key exchange xA was chosen yA sent to the malicious user malicious user chose x to be 7 calculated y to be 2 ka to be 17 sent the y value back to A and A calculates the same k to be 17 so that's a normal Diffie Hellman key exchange but it's between A and the malicious user but A doesn't know it's with the malicious user it thinks it's with B and there's a second key exchange between the malicious user and B malicious user chose private x of 2 public y of 9 sent that to B B chose private x of 11 public y of 10 sent it back to the malicious user and they both end up with the same key kB of 5 so two Diffie Hellman key exchanges but between the normal users and the malicious user the result A and B think they've exchanged a secret but they've actually exchanged a secret with the malicious user and the malicious user takes advantage of that questions on the steps everyone can do in an attack on Diffie Hellman in an exam or similar on RSA a similar man in the middle attack can be applied on RSA whatever the guy, the malicious attacker in the middle whatever he because of the algorithm the private key will always put up to be the same so he can send junking information and then you'll get like the same key while in RSA there was slightly more the whole step that you had we haven't really gone through a detailed example of RSA key exchange but if we encrypt with a public key the problem that we have the problem that arises here is that when B receives YA of 9 why is the public value it's the public value of A when B receives that B doesn't know if it is the true public public value of A or if it's a fake public value of A correct and this similar approach applies with RSA because we often use RSA to encrypt with someone else's public key so whose public key do we get if you want to send me a message you encrypt with my public key so I send you my public key but the man in the middle intercepts and doesn't send my public key but they send their public key pretending to be thieves that's the with the public key cryptography so the public value that is received by the user the user has no way of knowing is this really the public value that was sent or if it's been modified along the way you see public YA sent is 16 but received is 9 how does B know it's different how do they know 16 was sent or they don't hear and that's the problem and similar in the reverse direction and the same can apply with RSA the public value received we're not sure if it's the true public value yep with the malicious user when they calculated X mal B and Y mal B they just generated this X mal B randomly in the same way that every other user generates an X choose a random number less than 19 they didn't calculate X they chose it randomly that's their own X value you see that it's different from X A so it was just chosen it wasn't calculated we cannot guess the other user's X value that's private but we can generate our own just choose a random number and that's sufficient in this attack so this is a problem in general with public key cryptography how are you going to fix it Diffie Hellman is commonly used in internet communications right a receiver of a public value needs a way to prove that this received value is in fact the original value the true value how do we do that if Y A received is the right value we need some form of authentication some signature or some other mechanism to authenticate that the message we received hasn't been modified along the way so here Y A is effectively modified along the way and we've got no way of B knowing that so to avoid such an attack to prevent it we need to verify that messages received haven't been modified along the way and in general that's called authentication we need to authenticate the received messages authenticate the data we will see a man in the middle attack against RSA when we look at key distribution so we'll return to a specific example but it can apply for other public key ciphers any other questions on the Diffie Hellman key exchange or the man in the middle attack how to authenticate that's our next topic the next actually two topics are on authentication that's what we'll get to there are different methods to do it that leads us to what we want to find out well how do we know that a message received hasn't been modified we have different authentication techniques Diffie Hellman is widely used in the internet in different applications so it may be used in setting up secure connections maybe when you secure shell from one computer into another computer then you need to exchange a key to encrypt the communications so Diffie Hellman may be used there and if we don't have a way to authenticate the received messages man in the middle attacks may be possible and you may have noticed that I think some of you have used secure shell to log into another computer remotely and sometimes the first time you log in it presents a warning message and you may not remember it but I ask you yes or no do you trust this server it prints some long key and it says there's warnings are you sure about this and you often just type yes well that's this problem occurring in that a key is being exchanged and we can't prove it's being modified that is we don't know whether man in the middle attack has occurred or not so when you type yes it may be someone doing a man in the middle attack so you shouldn't type yes you should type no and use some other way to confirm but as you realize it's hard to verify messages so we'll talk about some other approaches for verifying and authenticating messages in the next topics what's left on these slides we've gone through three examples now plenty of examples we've gone through a man in the middle attack the counter measure is to use some form of authentication authenticate the received messages and we'll see common techniques called digital signatures and certificates we've gone through RSA in some depth as well as Diffie Hellman there are other public key crypto systems we'll just mention the names El Gamal Elliptic Curve Cryptography Elliptic Curve Cryptography is relatively new compared to RSA and is considered to be faster than RSA so it performs better but because it's relatively new there are still some questions about whether it's designed securely and there have been some flaws found in some implementations but it's still used