[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Some stuff about Diffie-Hellman (and more :-)
In the Diffie-Hellman exchange there is a well-known-prime, w, and a
well-knwon-modulus, m. For those interested that don't know I think
it then proceeds as follows (don't have notes in front of me so please
someone correct me if I'm misremembering it) where ** is the power or
exponentiation operator and % is the modulus operator:
1) Bob generates a one time random prime, b, then computes
B = (w ** b) % m
and sends B to Carol.
2) Carol generates a one time random prime, c, then computes
C = (w ** c) % m
and sends C to Bob.
3) Bob generates a session key:
K = (B ** c) % m
4) Carol generates a session key:
K = (C ** b) % m
Carol and Bob have the same K because:
K == (C ** b) % m == (B ** c) % m == (w ** (b * c)) % m
>From just the knowledge of B and C a snoop cannot determine
b from B, within computational reason (the root modulus being as
difficult as factoring), nor c from C, and because K cannot be
determined from B and C without knowing b or c, she is screwed.
Close, but not quite. The modulus m should be primed for best results.
Some folks have used a power of 2 for m, since that makes the modulus
operation easier, but it also makes cracking it easier, for comparable
sizes. Next, the base w should be a primitive root of the group GF(m).
More seriously, your equations are subtly wrong -- Bob and Carol can't
do the calculations you've given. Bob should calculate (C**b)%m -- he
knows b and C, but doesn't know c. Similarly, Carol calculates (B**c)%m.
Now, the tutorial over :-), the question is; is there a "standard"
well-known-prime, w, and a "standard" well-known-modulus, m, and if
not, let's define one. I suppose that PGP uses a well known pair but
they are big and not easy to hand around without going through media (I
think.) When defined algorithmically they might be easier to actually
incorporate in a program or a product than great big numbers. If this
has not been done, I propose a simply stated algorithm for finding a
"standard" w and m that will allow interoperation among all future
implementations of D-H as follows:
(deleted)
Two problems... First, many attacks on the discrete log problem are
based on massive precomputation for a known modulus. That probably
isn't an issue when you get to ~1K bits (*not* digits!). Second, you
need to specify things far more concretely, and in particular define
the random number generation process. You can't pick w till you know m.
I've found a solution to this that is more than sufficiently secure in
practice and even theoretically secure in most practical situations.
Well, I'd certainly be interested in hearing about it... There have
been a number of mechanisms for preventing eavesdropping with DH;
a lot depends on what assumptions you want to make. My attempts --
which involve the two parties sharing a weak (i.e., PIN- or password-grade
secret) can be found in /dist/smb/{neke,aeke}.ps on research.att.com.
There's also Rivest and Shamir's Interlock Protocol (April '84 CACM).
Davies and Price suggest using it for authentication, but Mike Merritt
and I showed that that doesn't work under certain circumstances.
--Steve Bellovin