 We got to this, we got to this scheme of key distribution via a key distribution centre, this third party. So the goal is that we need to get a secret shared between A and B and we need to share that secret securely so that no one can listen in and discover the secret because we're going to use that secret for encryption. So we look on Tuesday about okay if we want to distribute keys between every pair of users that may want to communicate there are many pairs. We come up with this general formula of n times n minus 1 over 2 is the number of pairs. So the more people the more pairs and it becomes too hard to distribute keys. So we need to somehow automatically distribute keys. And this scheme is one option that we assume first before any of this A and B have shared a master key with the KDC. So there's a master key called KA, it's going to be used eventually KA. So at the start of this scheme user A has KA, KDC has KA. So this is their master key and similar user B has KB and KDC also knows KB. So they've shared master keys to get started. How do they do that? Via what I call some manual mechanism which is maybe they went to the KDC physically visited and they exchanged keys or maybe they sent it in a secure envelope or some form which is via some trusted means of communications. So exchange master keys. So if there are 100 users in our system there would be 100 master keys in total. The KDC would know every master key and we call the KDC a trusted third party. They're not involved in the communications between users but all users must trust it because they have all the master keys. If you have the master keys you can do anything you like. So once we've distributed the master keys then we follow these five steps which automatically distributes a session key. So A wants to communicate with B. To do so they both need to know some secret. Instead of using their masters we use a session key and in this scheme we call it KS. So the aim is that both of them know KS. The first three steps and this can be implemented by software. So they send some packets across a network. KDC is a server, uses A and B as some computers in the network. So A wants to communicate to B. So first what happens is that A sends a message to KDC saying I am user A. My identity is A. I want to communicate with B so the identity of B and some nonce value N1. Think of some random value. For the purpose of identifying that the response is going to relate to the initial request. So we can keep track of that the next one message 2 is going to contain the same nonce value it's in here somewhere N1. So when A receives the second message it knows that this second message is a response to the first message like a sequence number. So we can keep track. So we send this to A with the meaning saying I want to communicate with B can you please generate a session key for me or for us. So we send this message to KDC, KDC generates a session key KS, creates some random key KS and then sends this response back. And if you look close you can see there are two parts, two encrypted parts. The left side is encrypted with KA, the right side so this concatenate concatenation operator is encrypted with KB. The idea is that the left side encrypted with KA is intended for user A and what it contains is the session key. So when user A receives this and they decrypt they will learn the session key and it contains the values that user A sent to the KDC just to confirm that this session key is for this request that you just made. In case we make multiple requests over some period of time we can keep track that this response is specifically for this request. So that first or that left part when it's received by A it was created by KDC the only other person who can decrypt is the person that has KA which is user A. So A decrypts, A learns the session key. The right part, the right hand side here after this concatenation operator is then forwarded on unchanged to B and we see the right part in message 2 is the session key, the one that was generated by the KDC and the identity of A, the node that initiated the communications encrypted with KB. So A takes this last part and sends it on unchanged in message 3 to B. Anyone who intercepts this message to decrypt they need KB. So if a malicious user intercepts message 3 they shouldn't be able to read the contents because they shouldn't have KB. If they did we've got a bigger problem because KB should be a key known only by B and the KDC. A sends this on to B, B decrypts, now B knows KS and we're finished. Finished in that both A and B know the session key and that was our goal to get a session key between A and B. The last two messages are just a means of authentication to confirm that none of these are replays, it's not a malicious user sending message 3, it's actually user A. The idea is that message 4 is B saying did you really send that and message 5 saying yes I did, that's the intention here because if B sends this message 4 to A but A did not send message 3, maybe someone malicious sent message 3 then when A receives message 4 it would not respond with 5. Or similar if a malicious user sent message 3 and B responds to that malicious user the malicious user will not be able to generate message 5 because to generate message 5 you need to know N2 and the only way to know N2 is to know KS and we're assuming that KS has been encrypted with KB so no one else should know it. So these last two steps in fact that the third one is partially used for authentication 2 is to confirm that there's no one in here trying to make these messages up or trying to replay these messages after they've already been sent. So now A and B know KS and a session key we use usually for a limited period of time. So let's say A wants to download a file from server B so they want to download a file so they go through these steps they contact the KDC they get a session key and then to securely download the file they use that session key. When the download is complete maybe the session is complete and maybe in 5 minutes time when they want to download another file they could go through this procedure again and generate a new session key. So the session key is used for a limited lifetime to follow this principle the fewer times you use a key the less chance an attacker has of discovering that key so that's a common principle that we use. Don't use a key too often so change keys as often as possible. So I would never ask you to remember this exact scheme so in the upcoming quiz or exam I will not ask draw this picture but if you look at past exams you'll see questions like here is this picture and answer some questions about well what does this mean what's the purpose of step 2 or what can an attacker do why can't an attacker see KS so explain what's happening based upon this scheme or similar schemes the idea is that we can use this in a network we have some server let's say inside SIT all our computers want to communicate securely all our lecture room computers office computers we want secure communications between any pair so we have some KDC server in the network we've manually given master keys to all of the computers so if there are 200 computers that we want to allow in our network each of them are configured with their own master key and the KDC knows that master key so the KDC knows 200 master keys then when one computer A wants to talk to another computer they follow these five steps obtain a session key encrypt the data for that session and then maybe five minutes later or one day later they may repeat that procedure so it can be automated inside the network so it's especially used inside organization networks when encryption is needed between computers inside the network what's the problem with the scheme you're an attacker what's what are you going to try and do attack the KDC okay we said the KDC knows all master keys it also generates the session key so it knows the session keys so if someone can compromise the KDC they can learn everything so the security of the whole system depends upon the security of the KDC so if it's a server in our network and someone can get physical access to that server then the system is not secure so you need to protect the KDC both network wise and physically compared to the previous scheme we went through so we went through at first a distributed approach this one looks simpler only three messages it is from that perspective the problem with this one is that there's a large number of master keys needed every end system must exchange a master key with every other end system and that leads to an exponential growth in master keys the benefit of a decentralized system there's no trusted third party that we have to rely on so we don't have to trust some other central server so that's the benefit of this system the disadvantage too many keys with a large number of nodes now just go back to a few slides we think this slide that we skipped over a little bit so we've talked now about master and session keys so it's common in many systems that we have a hierarchy of keys we use master keys to exchange session keys so we encrypt the session key with a master key and then we use the session keys to exchange data so we encrypt the data with session keys with the idea that over time we can regularly change the session key and we're only using the master key very occasionally that is whenever we generate a new session key so this concept of change keys rapidly or regularly and automatically so often the master keys are manually exchanged that is I go to the computer and program in a master key and but they're not changed very often seldomly whereas session keys which are used much more the master keys are automatically exchanged across the network because we can encrypt them with the master keys and change on a regular basis because we use them a lot how long do we change keys so what's the key lifetime the shorter the lifetime the better it is for security again the the fewer times you use a key the less chance it is for the attacker to find the key that's the concept but if we change the key too often every time we change key we need to go through a few steps so if we're using this scheme every time we want to change a session key we must send these five packets through the network so we cannot do it too often otherwise that overhead of communicating with will be too much so we need to trade off in some cases it depends upon the applications the network applications being used say if you're using a TCP application you can do it on each connection or after every few minutes in some cases so it depends upon the the network usage change more often is better for security but less convenient or more overhead one more slide you can extend this concept of a key distribution center of having multiple KDC so one KDC for our campus another one for rung sit campus and then another sent a higher one up in the hierarchy that is used for distributing keys between those KDCs so you can have a hierarchy of KDCs and if one of them is compromised that means the other ones are not necessarily compromised and therefore we limit the impact of some security compromise so this is two examples of how to exchange if you see the heading here symmetric keys using symmetric key cryptography so again the intention get a secret a shared secret key between A and B how do we do it we encrypted using symmetric key encryption so that was one approach for key distribution any questions on the KDC key distribution center yes this is a protocol so it would be agreed upon about the exact structure and the protocol the exchange of messages yes so an attacker knows that they're going to do this so you need to some what's what can an attacker do given this knowledge and the attacks generally related to well can they send a fake message and try and fool them or can they replay messages which were sent in the past to try and cause some disruption and the nonces help in those cases because if you can keep track of the messages that you've dealt with in the past like if you keep think of n1 as a sequence number we can if you receive a replay of this message then you can discard it or if message 3 was replayed by a message by a malicious user then the fact that the malicious user wouldn't be able to send back 4 and 5 correctly would mean that you'll be detected so yes everyone knows this scheme the format of the messages but because we're encrypting with these master keys and doing this extra steps of checking did you really send this finding a tax it's difficult you see any that's a common exam question what can you do to break this scheme a different nonce that is in which one yep yes a malicious user could send this message but then it would be encrypted with k a so malicious user receives a response what do they gain they cannot gain k s because it's encrypt with k a and k b so they could receive a message but you need to think well what do they gain from that they shouldn't be able to be able to gain k s because it's encrypted it's encrypted here and here ideas are known ideas like an address of a computer an idea of a user so ideas are generally known message 3 is encrypted with k b so anyone no one but b should be able to read the contents of that even a cannot fake that because this is encrypted with k b so even though a receives it they just cannot see the contents so they would not be able to change the identity for example that's already encrypted in there let's look at some other ways to distribute secrets what about using public key cryptography so I want to get a secret from me to someone else we cannot send a secret across the network we must encrypt it so use public key cryptography to encrypt that secret and send it so distributing symmetric keys shared secret keys using here I said asymmetric encryption which is public key cryptography asymmetric is public key crypto I should change the title just another name remember public key crypto let's have a test public key cryptography if you encrypt a message with your public key who can decrypt it you'd encrypt a message with your public key who can decrypt it hard one to start with everyone everyone else if you encrypt a message with your public key who can decrypt it yourself only okay if something's encrypted with a public key the only way to decrypt it is using the corresponding private key so if I encrypt something with a public key my public key the only way to decrypt is using my private key and no one else has my private key so just remember the ordering or the fact that if you encrypt with one you can only decrypt with the other if you encrypt something with a private key your private key what's the purpose of that verify for a signature if I encrypt something with my private key who can decrypt everyone okay because you need my public key to decrypt and everyone can have my public key it's public so what's the purpose of that it's used for signing since it decrypts with my public key it means it must have been encrypted with my private key means it must have come from me because only I have my private key what are another combination if you want to send me a secure message what do you do a confidential message encrypt it with RSA and which key in RS you're correct which key in RSA public or private you want to send to me a confidential message you encrypt using the destination my public key if you want to send a message to me I'm the destination you encrypt that message with my public key how do you get it easy it's public you send it to me the only person who can decrypt is me because only I have my private key so that's the other common scenario what's the other for fourth one I think the fourth one like the first will not make sense or not be used so encrypt with your own private key for signing encrypt with the other person's public key for confidentiality that's how we use public key crypto so easy use it to distribute secret keys I want to send a secret to you I'll encrypt with your public key send you the encrypted secret you you can decrypt it so we can use public key cryptography let's go through a few examples or a few different schemes for distributing secrets by using public key cryptography to now and we'll go back to another one elsewhere why don't we just use public key all the time because it's slow so why why do we want to distribute a secret key when we could just encrypt with my with the public key all the time because encrypting a large amount of data with public key cryptography is relatively relatively slow compared to symmetric key cryptography so in practice we want to use symmetric keys so a common use of public key cryptography asymmetric encryption is exchanging secrets first approach one way we need to exchange a secret between A and B so easy approach A sends a message to B saying here's my public key I'm user A so public key of A and identity of A B chooses a secret key generates KS and encrypts it with the public key of A and sends that back encrypted to A because KS was encrypted with PUA only A can decrypt because only A has the private key so here's one way now both B who generated KS and A who decrypts and finds KS both of them know KS that was our aim draw a picture that attacks that scheme on this slide on your blank slide draw the man in the middle attack use your knowledge of what and the name suggests let's say there's a user C in the middle what can they do to defeat this scheme so the scheme is I want to communicate to you I send you my public key you choose a secret and encrypt that secret with my public key and send it back to me that's these two steps now what if there was someone in the middle who could listen into the messages and modify messages what can they do to defeat this scheme draw it so to get started draw A B A C B where C is the man in the middle man or woman draw A C and B that won't help you helps to bring a piece of paper sometimes to lectures maybe a pencil or a pen for draw and think if A and B follow this procedure what could you do as a malicious user in the middle to fool them good draw C in the middle of B and A to get started so A and B don't know C is in the middle they don't know they send these messages but that C is trying to do something to learn the key learn KS what can they do A and B are computers what do you mean know anything try see what happens try draw it and come up with a scheme for doing it okay generate an attack yeah you can do different things but try and see if it's if it's successful I want to see some pictures yeah sorry will be send back to see possibly the purpose is the purpose is that C would like to learn KS and even better learn KS and not let A and B know that they've learned KS so A and B follow this protocol A sends this message when B receives it sends back a response what happens and in this case we have a man in the middle C so A sends a message B is going to respond but C can do something they can intercept in the middle those messages and even create new messages what can they do to learn KS what can they do to learn KS this is looking good I think a few people have got the attack look A follows the normal procedure of sending PUA IDA to get started A wants to send a message to B so they generate PUA IDA they send that that's the normal procedure according to this protocol but our man in the middle C intercepts before it gets to B let's say A is a computer here B is a server somewhere else in between that path C receives this message and changes it before they send it on to B what do they change it to what do they change PUC no how do you learn someone's public key well it's public they can send it to you that's what this scheme was we'll come back to some other ways later but we'll see this game doesn't work in some cases and that's why the attack successful but this way of learning the public key A sends the public key to B C the malicious user changes it from PA to its own public key PUC sorry changes PUA to PUC what ID IDA of course you don't change that so I think the ID is someone's name or address but we change the actual public key how to so B receives this gets a message here's a message from A and therefore it should contain the public key of A but in fact it contains the public key of C B doesn't know that because the public key is just a sequence of bits how do you know who's it is based upon the identity B generates KS and sends back a reply and according to our scheme the reply that B sends is the KS that you just created encrypt with the public key that you just received the public key of C in this case okay B doesn't know it's the public key of C I've written as a public key of C but B doesn't know that you just receive some public key who's is it well based upon the identity it's A's public key we think it is so we encrypt KS with it send back that someone who intercepts this another user who intercepts cannot see it but C intercepts on the way back to A C intercepts this response and because it was encrypted with a public key of C C can decrypt it C decrypts and when they decrypt they learn KS because C has the private key of C they learn KS what's next what does C send to A what does C send to A it would be nice to send to A because we'd like an attack where we learn from the malicious user we learn the secret key and A and B think no one knows the secret key so A and B keep communicating using that secret key otherwise it's not going to be so useful to learn the secret key if they the others can detect it give him whatever he wants is not enough because if we give them the wrong value he will try and encrypt data and send a B and they'll quickly detect that they've got the wrong key so correct don't give him whatever he wants give him the encrypted session key not whatever he wants what he wants he may want something else okay you're correct encrypt with a public key of A KS and when A decrypts because A has the private key A learns KS so from A's perspective they sent the first message what do they receive back the expected message because it decrypts with the private key of A and they learn KS so A knows the session key from B's the other user they receive the request public key and identity they create a session key and they encrypt it and send it back and they get no error messages later so they know KS but from our man in the middle C by doing these changes changing the public key to its own decrypting and learning KS and then encrypting with PUA which of course is public C has learnt KS and A and B don't know that A and B still think everything's okay so now A encrypts their highly confidential data and sends it to B everything that's sent between A and B using KS can be decrypted by C so our man in the middle can decrypt everything so the scheme is not so good from that perspective the attack is easy in practice this attack requires someone to be able to be in the middle and intercept and modify packets okay so it requires them to be if it's in a network to be in in the path between A and B and be able to intercept packets if we have a communications link where they cannot do that then our scheme here is okay so it's only useful if the attacker cannot modify and insert messages some networks that's the case but in the public internet you cannot assume that so it's not secure in large networks public networks how do you improve this is another way well how do we improve make sure we know the correct public key and the next part of these slides we'll talk about how do we get public keys to the users because our problem here was that A sent its public key but C changed it so when B got the public key of A it can't recognize that it's not the public key of A it's a public key of C that's the problem with public key cryptography we need a way that we can distribute public keys such that the person who receives it is sure that it is that person's public key so we'll look at detailed ways of doing that before we go on to this other one and actually we won't spend much time on it the the next topic is how to distribute public keys and we see that's a challenge in public key cryptography so we'll spend some time on that but let's go back back to public key cryptography lecture notes I think you have it at the front of your handouts let's try another scheme close this one go back to the topic on public key cryptography where we talked about the principles we went through RSA remember RSA they take our message to the power of E mod N and decrypt similar well some slides we skipped one was called Diffie-Hellman key exchange we're going to go through that now before we go through a quick test I'm going to give you some names of algorithms and you need to tell me what whether it's symmetric key public key or something else everyone's ready okay RSA symmetric key public key hash function what is RSA which type of algorithm symmetric key or public key algorithm or hash algorithm or what else we had random number generator which one public key RSA public key cryptography right these are the things you need to remember even if you can't remember the actual algorithms AES AES symmetric key okay des symmetric key MD5 hash okay have we got any others triple des symmetric key des char hash secure hash algorithm so try and recognize at least when someone talks about RSA that we're talking about public key cryptography and alright AES triple des in yours I think I gave you an assignment or a homework what did you use different ciphers maybe with open SSL we use you can use things like camellia and many other ciphers Diffie-Hellman what is it Diffie-Hellman symmetric public hash public key cryptography so we're going to go to go back and go through a public key cipher but it's specifically for key exchange RSA we could use for encrypting data we don't use this Diffie-Hellman algorithm for encrypting data or signing we use it for key exchange get a secret from A to B okay so there are different public key algorithms but they have different purposes let's go Diffie through Diffie-Hellman key exchange and Diffie and Hellman the two people are the two people who created public key cryptography or first published about public key cryptography so back in 1976 they proposed public key crypto systems and their algorithm or the one we'll go through is an X algorithm for exchanging a secret key same as before we want to get a secret from A to B without anyone else knowing that secret so just for exchanging a key it's based upon discrete logarithms the mathematical problem that makes it a public key algorithm is discrete logarithms and if we remember back to RSA calculating exponentials modulo sum number especially a prime is relatively easy that is a large number raised to the power of some other large number mod sum prime we can calculate in a short amount of time but doing the inverse of an exponential a logarithm is extremely hard and a logarithm in mod modulo arithmetic it's called a discrete logarithm so we'll see how that is used in Diffie-Hellman key exchange here's the algorithm we'll go through it by using an example with some small values to get started we have some parameters which we call the public globally public means everyone can know these values Q and alpha in this algorithm description let's choose some numbers Q is a prime number and alpha normally is a primitive root of Q we mentioned primitive roots when we look to RSA we'll not go back and explain them but accept that alpha is a primitive root of Q I'll give you the values for our example so we have A and B they want to get a shared secret KS or some secret value between them that no one else knows they start with some public values Q and let's choose a value a prime number for our simple calculations I'll use a small number and alpha a primitive root of Q and 3 is an okay value and that public values everyone knows them including B and later including an attacker alpha not A so that known up front Q you should be a large prime number not 353 it should be much larger but for our calculations let's use a small prime number so the steps user A select some private value we'll call X A should be less than Q so that's the condition choose some random value less than Q and then user A will calculate a public value we'll call YA based upon this algorithm alpha to the power of X A mod Q so let's do that for user A choose X A so select some X A and I will select as user A because I've got the numbers 97 just a random number less than 353 fine and now calculate YA as what alpha to the power of X A mod Q in our case alpha is 3 X A we just chose to be 97 mod the known Q 353 we'll go through the steps and then analyze it later which is anyone with a calculator calculator anyone see if your phone will calculate okay 3 to the power of 97 mod 353 3 to the power of 97 3 to the power of 97 mod 353 is 40 okay so you need a calculator for that one but even with large numbers when we deal in practice with very large numbers computers can calculate that in reasonable time so X X A will be a private value don't tell anyone X A we need to keep it secret YA is a public value and what we do is we send YA to B so let's send it say we send a message from A to B where we say okay YA that I've chosen is 40 in fact at this point we could also send alpha and Q if B didn't know them because again they can be public anyone can know the values alpha is 3 Q 353 sometimes B will know in advance otherwise we can send in a message saying here are the values you should use B receives now B follows the same steps it chooses some X and calculates some Y using the same steps but of course we'll choose a different X most likely they choose a random X less than 353 B let's say chooses X B equal to some random number of 233 and calculates Y B I'm using lower case same same way alpha to the power of X B mod Q same alpha 3 X B 233 the chosen value mod 353 so they follow the same steps except they'll choose different X's assuming Q is large enough they choose a random X they'll choose different values alpha to the mod the power of X a mod Q alpha to the power of X B mod Q answer calculator time 3 to the power of 233 mod the same 353 248 and now B sends that value back to A actually before we can send it and then calculate but B will send the message back and then B calculates a new value so we've gone through we started with two public values Q and alpha X generates a key sorry A generates a key selects X calculates Y B follows the same algorithm selects X calculates Y they exchange their Y values and then they both go through this calculation to calculate this K the Y you receive to the power of the X you chose mod Q let's try we'll do it from B's perspective first I've done that right let me just check we're going to do this step of we've done B generated Y B they're going to send that back and then B this last step K equals Y A to the power of X B mod Q K equals Y A to the power of X B mod Q Y A we received Y A is 40 X B we chose as 233 mod the same Q 353 calculator will tell us the answer 40 to the power of 233 mod 353 anyone want to guess is less than 353 160 let's record that one so user B has calculated K to be 160 and we send back our Y so Y B we calculated to be 248 now user A follows the same steps to calculate so this was our K I'll call it K B subscript K B K subscript A same algorithm but using the opposite values that is user B chose used A's value of Y B's value of X mod Q and they got 160 A's value of Y came from the message that A sent it B sends back his value of Y 248 and user A calculates using Y B to the power of the original X A they chose what do we choose it's there somewhere mod our Q 97 we chose so let's calculate that 248 the power of 97 mod 353 calculator time any guesses maybe guess 160 260 let's try 248 to the power of 97 mod 353 248 to the power of 97 mod 353 160 is that luck will show that it's not luck that's the design of the algorithm they'll always get the same number here and that's our secret the idea was that A and B share a secret some number that they both know that no one else knows and following as these steps in this case they both end up with a value on either side 160 160 the same value so now we need to check why did they get the same value and more importantly what can an attacker do to try and find that value so just go back to the top A and B they both know Q and alpha that's public everyone knows A selects a value of X calculates Y sends their value of Y and in this case alpha and Q to user B user B chooses an X some independent value calculates his value of Y and sends that back to A and in the meantime B calculates his value of K 160 and when Y B is received by user A they calculate their value of K and they'll get the same value why do they get the same value let's quickly look at that we'll see the mathematics is quite simple of exponentials what steps did we go through for example what did user A do their first calculation was Y A is alpha X A mod Q whereas B's calculation was Y B alpha to the X B mod Q and then A's calculation when they received Y B they calculated what K I have to remember K to the power of Y B a K Y K equals Y B to the power of X A mod Q so that are steps that A chose chose an X calculate Y they received Y B and then calculated K let's call it actually to be precise K subscript A let's substitute in let's do what let's substitute this Y B into this calculation for K A that is I'm going to replace Y B with alpha to the X B mod Q what is Y B Y B is alpha to the X B mod Q that's from the right hand side that's this part all of it to the power of X A mod Q when we simplify what do we get if we go back to our early modular arithmetic and some of the properties the same properties that hold with our normal arithmetic for exponentials we can actually when we take some number mod Q and then mod Q again and it's the same as just mod Qing once okay think of this concept of 13 mod 10 is 3 mod 10 again is 3 mod 10 again is 3 if we keep modding by 10 we still end up with 3 so in fact you only need to mod by Q 1 so we'll remove this mod Q it's the same as alpha to the X B all to the power of X A mod Q and alpha to the X B all to the power of X A is the same as alpha to the X B times X A that's our normal properties of exponentials 2 to the power of 3 all to the power of 4 is 2 to the power of 3 times 4 or 2 to the power of 12 so this is K A from A's perspective now do the same for B we have space yes we'll find some space K B is Y A to the X B mod Q this is from the the algorithm description and now let's substitute this Y A into here so replace Y A with alpha to the X A mod Q so K B would be alpha the X A mod Q so this Y A was replaced by this value all to the power of X B mod Q the same simplifications apply we can remove this mod Q and we get alpha to the X A all to the power of X B mod Q and again that becomes alpha to the X A times X B mod Q A calculates K A to be alpha to the X B times X A mod Q B calculates K B to be alpha to the X A times X B mod Q they are the same okay so this is just the proof that if we follow this algorithm A and B will end up with the same value of K and we'll use this K as our shared secret a value that both A and B know okay so this is the proof that we get the same value at the end that's the easy part why is it secure so now put on your black hat and what can an malicious user do to find that value of K from this information what a malicious user can do to find 160 if they can this is not secure if they can then this is a secure key exchange think what can the malicious user do look at our exchange of messages and what the malicious user knows okay yeah in our exchange let's look at what the malicious user knows so go back to our start alpha you are known they are public values so they are known by the malicious user those values are known so we'll list them in a moment X A was chosen by A and is kept private so the malicious user does not know X A Y A was calculated and sent across the network so assuming the malicious user can intercept they can so Y A is known or public Y A alpha and Q X B is secret it's only known by user B but Y B which is sent back will also be known so Y B can be discovered by the attacker so given those values what can the attacker do let's try known values what do we got Q is 353 alpha is 3 Y A was 40 Y B 248 and they know the algorithm so they know all the steps all the equations which were used so this is the attacker what do you try and find you want to find K what steps you take to find K the secret just use this formula try it so find a write down a formula from that the description of the algorithm that you would use to find K or something on the way to K eventually we'll need to do a discrete logarithm we know that K A was calculated for example as Y B to the X A mod Q so the attacker knows this and we know Y B is 248 X A we don't know we know Q so now for the attacker to calculate the secret K they need to know X A first first approach what's the brute force approach try every value of X A how many values are there in this example how many possible values X A was chosen to be less than 353 so there are 353 possible values so here if we know X A we'll get K so you could try all possible values 0 1 2 3 up to 352 because it was less than okay so that's one approach how do we stop that attack make sure instead of using 353 use a very large prime number therefore trying a brute force in that case would take forever so to stop such an attack of trying all the X A's just make sure the prime is large enough 353 is not large enough but when you've got hundreds of bits you can make it large enough so how else can we find X A if we can't do a brute force look at the algorithm where's X A used maybe this algorithm here or this equation Y A equals alpha to the X A mod Q that's also known by the attacker Y A is known it's 40 alpha is known is 3 X A is unknown Q is known our aim find X A if we find X A we can calculate K and we've got the secret here we have an equation three known variables one unknown should be easy what's the how do we find X A inverse what's the name of the operation it's a logarithm remember we've got an exponential here we want to find the index so given an exponential find the index it's a logarithm the discrete log so X A equals the discrete log D log all right in base 3 mod 353 of 40 that is if what number do we raise 3 to what power do we raise 3 to and mod by 353 to get 40 so a logarithm but with modular written to so if we can solve this we find X A once we know X A we can calculate K and we've got the secret and if we remember back to this public key cryptography we said discrete logarithms are one of those problems if the numbers are too large a large enough we cannot solve it okay so if Q is a large prime and therefore these numbers will be large solving a discrete logarithm takes too much time so that's where the security of the Diffie Helman key exchange comes in with large enough numbers just solving a discrete log takes forever and you can look at other ways that the attacker can try and find K and you'll see that it comes back to solving a discrete logarithm or brute force and the way to make them impossible make the numbers large enough you can try from B's perspective try and find X B and you find it's the same problem it all comes back to a discrete logarithm as a result this key exchange algorithm is considered secure that is if you use large enough parameters then if you exchange the keys in this way both A and B will know the secret K the same secret K they'll have at the end and even if someone intercepts all messages they cannot learn that value of K so we exchange the secret and no one else knows the secret that's the goal so Diffie Helman is commonly used for key exchange many practical protocols secure secure shell when you SSH into an application into a server uses Diffie Helman for key exchange on a regular basis that just shows what we tried to draw on the steps that were calculated so we've gone through an example it's insecure against the man in the middle attack it's still possible that someone in the middle if they can be in the middle can do an attack on the Diffie Helman key exchange so for it to be used you need some other way to ensure the person you're talking with with is the who you think they are and next we will move into the topic of how do we make sure the public key that we get is real so we've seen a man in the middle attack where we got a public key of B we thought it was A's but it was C's so then the question is how can I make sure if I have a public key it is of that person it's not someone else's and that will lead us to public key certificates so we'll look at that next week and we'll see certificates are your web browsing so we'll lead to that any questions on Diffie Helman in the last couple of minutes Diffie Helman RSA they look simple the mathematics is not too hard but they're very very useful for and use very commonly for exchanging keys signing things everyone's okay those people that did the quiz last week you can come and collect your quiz you should see your scores online if you like next week we'll continue with