Cryptography

Key Exchange

Every TLS connection - HTTPS, SSH, Signal message - begins with a key exchange. Before 1976, two strangers communicating over an untrusted network had no way to establish a shared secret without a physical courier. Diffie-Hellman changed everything: it made secure internet communication between strangers mathematically possible for the first time.

  • **TLS 1.3**: mandates ECDH with X25519 or P-256. Every HTTPS connection since 2018 starts with an ephemeral ECDH exchange.
  • **Signal Protocol**: X3DH (Extended Triple DH) for initial key agreement, followed by Double Ratchet. Each message session derives from a fresh DH exchange.
  • **SSH**: server presents a host key that signs the DH exchange. Client verifies the fingerprint on first connection and pins it thereafter.
  • **Logjam attack (2015)**: downgrade attack forcing TLS to 512-bit DH (exportable). Broken in 7.6 hours with NFS. Motivated deprecation of classical DH in TLS 1.3.

The Key Distribution Problem

Symmetric encryption requires both parties to share a secret key before communication begins. For n parties communicating pairwise, this requires n*(n-1)/2 keys. Distributing these keys securely over an insecure channel seemed impossible until Diffie and Hellman's 1976 paper.

The Diffie-Hellman paper 'New Directions in Cryptography' (1976) introduced the concept of public-key cryptography and asymmetric cryptosystems. Whitfield Diffie and Martin Hellman received the Turing Award in 2015 for this work.

How many unique symmetric keys are needed for 100 parties to communicate pairwise without key exchange protocols?

Diffie-Hellman: Public Key Exchange

Diffie-Hellman key exchange allows two parties to derive a shared secret over a public channel without any prior shared state. The security rests on the difficulty of the Discrete Logarithm Problem (DLP) in a finite group.

Real DH uses groups with 2048-4096 bit primes or elliptic curves (ECDH). TLS 1.3 mandates ECDH with X25519 (Curve25519) or P-256. The X25519 group has order ~2^252, providing 128-bit security.

In Diffie-Hellman, what information does an eavesdropper see and what remains secret?

Discrete Logarithm Problem

The Discrete Logarithm Problem (DLP): given g, p, and g^x mod p, find x. This is believed to be computationally hard for large primes, but the best classical algorithm (Number Field Sieve) runs in sub-exponential time, requiring 2048+ bit parameters for adequate security.

RFC 3526 defines standard DH groups (MODP groups) with 1536-4096 bit primes. RFC 7919 (FFDHE) defines finite-field groups suitable for TLS. However, TLS 1.3 deprecated classical DH in favor of ECDH over X25519 and P-256 due to smaller key sizes and better performance.

Why do ECDH parameters (256-bit curve) provide roughly the same security as 3072-bit classical DH parameters?

MITM Attack on DH

Unauthenticated DH is vulnerable to a man-in-the-middle attack: an attacker intercepts both public values and substitutes their own, establishing two separate DH sessions - one with Alice, one with Bob. Both believe they are talking to each other but share keys with the attacker.

TLS prevents DH MITM by having the server sign the ephemeral DH public key (g^s) with its long-term private key (RSA or ECDSA). The client verifies the signature using the server's certificate, which is anchored to a trusted CA. This is the 'server authentication' part of TLS handshake.

DH provides authentication because an attacker cannot compute the shared secret

DH provides confidentiality (eavesdroppers cannot compute the shared secret) but zero authentication - a MITM attacker replaces both public values and establishes separate sessions with each party

Authentication and key establishment are orthogonal properties. DH must always be combined with a signature scheme to prevent MITM.

What property must be added to DH to prevent MITM attacks?

Key Ideas

  • **Key distribution problem**: n*(n-1)/2 symmetric keys needed for n parties. Diffie-Hellman (1976) solved this by enabling shared secret derivation over a public channel.
  • **DH security**: relies on DLP hardness. Classical DH needs 2048+ bit primes; ECDH needs only 256-bit curves for equivalent 128-bit security.
  • **MITM vulnerability**: unauthenticated DH is vulnerable - attacker replaces both public values. Fix: sign DH public keys with a long-term authenticated key.
  • **TLS 1.3**: uses ECDH with X25519 (ephemeral), signed by server certificate. Provides both key establishment and server authentication.

Related Topics

Key exchange is the foundation of every secure channel protocol:

  • ECC Mathematics — ECDH uses elliptic curve groups instead of Z_p for better performance at the same security level.
  • TLS 1.3 — TLS 1.3 mandates ECDH with authenticated server certificates, combining DH with PKI.
  • Signal Protocol — X3DH extends DH to provide authentication and deniability for asynchronous messaging.

Вопросы для размышления

  • If Shor's quantum algorithm solves DLP efficiently, which current TLS connections are retroactively at risk from 'harvest now, decrypt later' attacks?
  • SSH pins the server's host key fingerprint after the first connection. What attack does this prevent, and what is its weakness?
  • Why does TLS 1.3 use ephemeral ECDH keys (fresh per connection) rather than static long-term DH keys?

Связанные уроки

  • net-23-https-tls
  • net-34-ipsec
Key Exchange

0

1

Sign In