SlideShare une entreprise Scribd logo

Active Attacks on DH Key Exchange

Dharmalingam Ganesan
Dharmalingam Ganesan

We allow Eve to modify DH parameters as well as public keys of Alice and Bob. This allows Eve to derive the secret key and break the DH crypto system. We demonstrate that the DH key exchange algorithm should not be used without digital signatures.

Technologie
1  sur  34
Télécharger pour lire hors ligne
Active Attacks on DH Key Exchange Dr. Dharma Ganesan, Ph.D.,
Table of Contents ● Objectives of the presentation ● Cryptography problem - Secret Key Exchange ● Cryptanalysis - How to break the crypto system ● Open problems ● Conclusion 2
Objectives ● Demonstrate how the basic Diffie-Hellman (DH) key exchange works ● Demonstrate how an active attacker can edit DH parameters ● Demonstrate how the man-in-the-middle obtains the shared secret key ○ when DH is used without digital signature 3
Alice Encrypts - Eve sees gibberish - Bob Decrypts 4 Hello Bob Encryption Algorithm (open to all) Secret key K 01534236 Secret Key K Decryption Algorithm (open to all) Hello Bob Note: The same secret key K is used by encryption and decryption algorithms Kerckhoff’s principle: The enemy (Eve) knows the encryption and decryption algorithms, but not the key
Problem: sender and receiver need the same key 5 Key K Key K ● Alice and Bob are too far away from each other ● They never met each other ● They cannot exchange the secret key publicly (Eve is listening) ● How can they arrive at the same secret key K?
6 We have been (unknowingly) using the mod notation Let’s go to bed @ 21 hour 21 ≡ 9 (mod 12) Note: When 21 is divided by 12, 9 is the remainder What is 5*8 on this clock? 5*8 = 40 ≡ 4 (mod 12) Gauss developed the theory of modular arithmetic
7 Cryptographers love mod and primes Cryptographers view this clock as follows: Z* 13 = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12} They use mod 13, which is a prime number Z* p = {1, 2, 3, …, p-1} i 1 2 3 4 5 6 7 8 9 10 11 12 2i 2 4 8 3 6 12 11 9 5 10 7 1 For example, 24 ≡ 3 (mod 13) 2 is a generator of this clock because it generates all hours from 1..12
Why cryptographers use mod and one-way functions? 8 ● In a clock, patterns are not that obvious to detect for Eve ● For example, 26 is greater than 27 in mod 13 ● Some problems are difficult to answer (without seeing the below table) ● For example, 2i ≡ 11 (mod 13), can you quickly find the i? i 1 2 3 4 5 6 7 8 9 10 11 12 2i 2 4 8 3 6 12 11 9 5 10 7 1 E a s y H a r d Cryptographers use one-way functions: Easy in one direction, but hard the other
Power rule of exponents (23 )4 = (23 )(23 )(23 )(23 ) = 212 (24 )3 = (24 )(24 )(24 ) = 212 So, (23 )4 = (24 )3 In general, (g𝑥 )𝑦 = (g 𝑦 )𝑥 = (g 𝑥𝑦 ) [Proof: Exercise] 9
Diffie-Hellman Key Exchange Algorithm ● In 1970s, they solved the problem of key exchange! ○ Using an one-way function (easy to compute, hard to reverse) ● Alice and Bob arrive at a shared secret key k ○ Using the power rule of exponents (no courier service) ● Eavesdropper Eve cannot easily derive the secret key k ○ Takes billions of years to solve by computers (at this time of writing) ● Diffie, W., and Hellman, M. New directions in cryptography ○ IEEE Trans. Inform. Theory IT-22, 6 (Nov. 1976), 644-654 10 Prof. Hellman (H) Diffie (D)
11 Double the hours 5 times (i.e., 25 mod 13) Double the hours 4 times (i.e., 24 mod 13) Send the clock to Bob Send the clock to Alice Key Exchange - Visual Demo Triple the hours 5 times (i.e., 35 mod 13) Sixfold the hours 4 times (i.e., 64 mod 13) Both Alice and Bob arrive at the same key (9) Note: 5 and 4 are secrets
12 Pick a random number 𝑥 Pick a random number 𝑦 Compute A = g𝑥 mod p Compute B = g𝑦 mod p Secret K = B𝑥 mod p Secret K = A𝑦 mod p Send A to Bob Send B to Alice Both Alice and Bob have the same secret key Eve sees A and B, but not 𝑥, 𝑦, or K Key Exchange Algorithm - Core Idea (assume that g and p are public)
13 Pick a random number 𝑥 = 5 Pick a random number 𝑦 = 4 Compute A = 25 mod 13 Compute B = 24 mod 13 Secret K = 35 mod 13 = 9 Secret K = 64 mod 13 = 9 Send A = 6 to Bob Send B = 3 to Alice Both Alice and Bob have the secret key 9 DH Key Exchange - Example (g=2, p=13)
14 How can Eve recover the secret key K? Option 1: ● Eve knows that the secret key can be in {1, 2, … 12} ● She can just try 12 possibilities to decrypt messages i 1 2 3 4 5 6 7 8 9 10 11 12 2i 2 4 8 3 6 12 11 9 5 10 7 1 Option 2: ● Eve builds the above table and solves B = g𝑦 mod p ● For example, B = 6 means secret 𝑦 = 5 Other Options?
Cryptographers use a very large clock to trick Eve 15 ● Prime p is made of at least 600 digits or so (in 2019) ○ p shall satisfy more properties (not covered here) ● Difficult for Eve to construct the table of all possibilities ● Eve will have to live for several billion years to break it ● Or, she must solve some cool problems (next slide) p-1
Some cool problems to solve 16 ● Problem 1: Given B, g, and p, efficiently find y such that B = g𝑦 mod p ● Problem 2: Given g𝑥 mod p and g𝑦 mod p, find g𝑥𝑦 mod p ○ The exponents 𝑥 and 𝑦 are not known to Eve, of course ● Problem 3: Find the prime factors p and q of N such that N = p*q ○ I did not talk about this problem in this presentation ○ See https://www.slideshare.net/dganesan11
Let’s give more power to Eve 17 ● Let’s allow Eve to edit DH parameter g ● In particular, Eve will choose g from {1, p, p-1} ● Similarly, let’s allow Eve to edit the public keys A and B of Alice and Bob ● We will show that in all these cases Eve can recover the secret key K
18 Pick a random number 𝑥 Pick a random number 𝑦 Compute A = g𝑥 mod p = 1 Compute B = g𝑦 mod p = 1 Secret K = B𝑥 mod p = 1 Secret K = A𝑦 mod p = 1 Send A = 1 to Bob Send B = 1 to Alice Eve replaced the g by 1 Eve knows the secret key K = 1 Case 1: Eve fixed the generator g = 1
19 ~/crypto$ p=13 ~/crypto$ g=1 ~/crypto$ java -ea Basic_DH $p $g *** Secret Session Key = ****1 ● p = 13 and g=1 ● Eve learns that the secret key must be one
20 Pick a random number 𝑥 Pick a random number 𝑦 Compute A = p𝑥 mod p = 0 Compute B = p𝑦 mod p = 0 Secret K = B𝑥 mod p = 0 Secret K = A𝑦 mod p = 0 Send A = 0 to Bob Send B = 0 to Alice Eve replaced the g by p Eve knows the secret key K = 0 Case 2: Eve fixed the generator g = p
21 ~/crypto$ p=13 ~/crypto$ g=13 ~/crypto$ java -ea Basic_DH $p $g *** Secret Session Key = ****0 ● p = 13 and g=13 ● Eve learns that the secret key must be zero
22 Pick a random number 𝑥 Pick a random number 𝑦 Compute A = (p-1)𝑥 mod p Compute B = (p-1)𝑦 mod p Secret K = B𝑥 mod p = 1 Secret K = A𝑦 mod p = 1 Send A to Bob Send B to Alice Eve replaced the g by p-1 Eve knows the secret key K = 1 or K = p-1 Case 3: Eve fixed the generator g = p-1
g = p-1 23 ● Eve replaces g by p-1 ● Alice will compute her public key: A = gx mod p = (p-1)x mod p ● Bob will compute his public key: B = gy mod p = (p-1)y mod p ● Both Alice and Bob will arrive at K = (p-1)xy mod p ● If x (or y) is even, then K = (p-1)xy mod p = 1 ● If x and y are odd, then K = (p-1)xy mod p = (p-1) ● So, Eve learned the secret key K can be either 1 or (p-1)
24 ~/crypto$ p = 13 ~/crypto$ g = 12 ~/crypto$ java -ea Basic_DH $p $g *** Secret Session Key = ****1 ~/crypto$ java -ea Basic_DH $p $g *** Secret Session Key = ****12 ● p = 13 and g=12 ● Eve learns that the secret key must be 1 or p-1
25 Let’s allow Eve to edit public keys A and B only
Case 1: What if Eve sets public keys A and B to p? 26 ● Recall that Alice and Bob send their public keys on the public channel ● What if Eve intercepts and modifies the public keys? ● Case 1: For example, Eve replaces the public keys as follows: ○ Eve replaces Alice’s public key A by p ○ Eve also replaces Bob’s public key B by p ● Alice will compute the private key: K = Ax mod p = px mod p = 0 ○ K = 0 because px divides p ○ Similarly, Bob will compute the private key: K = Bx mod p = px mod p = 0 ● Eve knows the secret key K = 0
27 Pick a random number 𝑥 Pick a random number 𝑦 Compute A = g𝑥 mod p Compute B = g𝑦 mod p Secret K = p𝑥 mod p = 0 Secret K = p𝑦 mod p = 0 Send p to Bob Send p to Alice Eve replaced the public keys A and B by p Eve knows the secret key K = 0 Case 1: Eve edits the public keys A and B by p
Case 2:What if Eve sets public keys A and B to p-1? 28 ● Eve replaces the public keys A and B to p-1 ● Alice will compute the private key: K = Ax mod p = (p-1)x mod p ● If the unknown x is even, then K = (p-1)x mod p = 1 ● If the unknown x is odd, then K = (p-1)x mod p = (p-1)x-1 (p-1) mod p = (p-1) ● So, Eve learned the secret key K can be either 1 or (p-1)
29 Pick a random number 𝑥 Pick a random number 𝑦 Compute A = g𝑥 mod p Compute B = g𝑦 mod p Secret K = (p-1)𝑥 mod p Secret K = (p-1)𝑦 mod p Send (p-1) to Bob Send (p-1) to Alice Eve replaced the public keys A and B by p-1 Eve knows the secret key K =1 or (p-1) Case 2: Eve edits the public keys A and B by p-1
30 ~/crypto$ echo $p 13 ~/crypto$ echo $g 2 ~/crypto$ echo $MiTm true ~/crypto$ java -ea Basic_DH $p $g $MiTm *** Secret Session Key = ****12 ~/crypto$ java -ea Basic_DH $p $g $MiTm *** Secret Session Key = ****1 ~/crypto$ java -ea Basic_DH $p $g $MiTm Exception in thread "main" java.lang.AssertionError at Basic_DH.main(Basic_DH.java:70) ● p = 13 and g=2 ● Eve learns that the secret key can be either 1 or 12 only ● However, Alice and Bob may notice that something is wrong because the shared secret key may be different ● For example, Alice’s K = 1 and Bob’s K = 12 ● My demo program throws an exception if Alice and Bob have different secret keys
Conclusion 31 ● If we allow Eve to edit g, then she can fix the secret key! ● Usually, in practice, the value of g and p are hard-coded ● Nevertheless, it is interesting to see what Eve can do if we allow her to edit g ● Demo shows that by editing the public keys, the secret key is exposed ● DH key exchange algorithm should not be used without digital signature ● Otherwise, man-in-the-middle can alter DH parameters and public keys ● These active attacks were part of Crypto exercise problems ○ (e.g., Textbooks and online cryptopal challenge set 5)
Appendix - Proof of concept (not for production use) 32
33 public class Basic_DH { private BigInteger p = BigInteger.valueOf(2); private BigInteger g = BigInteger.valueOf(2); public Basic_DH(BigInteger p, BigInteger g) { this.p = p; this.g = g; } private Basic_DH(){} public BigInteger generatePublicKey(BigInteger privKey) { return g.modPow(privKey, p); } public BigInteger generatePrivKey() { while(true) { BigInteger privKey = new BigInteger(p.bitLength(), new SecureRandom()); if(privKey.compareTo(p) < 0) return privKey; } } public BigInteger generateSessionKey(BigInteger pubKey, BigInteger privKey) { return pubKey.modPow(privKey, p); } }
34 BigInteger p = new BigInteger(args[0]); BigInteger g = new BigInteger(args[1]); if(args.length > 2) { MitM_Param_Injection = Boolean.parseBoolean(args[2]); } Basic_DH dh = new Basic_DH(p, g); BigInteger x = dh.generatePrivKey(); BigInteger A = dh.generatePublicKey(x); BigInteger y = dh.generatePrivKey(); BigInteger B = dh.generatePublicKey(y); if(MitM_Param_Injection) { B = p.subtract(BigInteger.ONE); A = p.subtract(BigInteger.ONE); } BigInteger alice_sk = dh.generateSessionKey(B, x); BigInteger bob_sk = dh.generateSessionKey(A, y); assert alice_sk.equals(bob_sk); System.out.println("*** Secret Session Key = ****" + alice_sk);

Recommandé

On the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysOn the Secrecy of RSA Private Keys
On the Secrecy of RSA Private Keys
Dharmalingam Ganesan
 
How do computers exchange secrets using Math?
How do computers exchange secrets using Math?How do computers exchange secrets using Math?
How do computers exchange secrets using Math?
Dharmalingam Ganesan
 
Computing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum AlgorithmsComputing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum Algorithms
Dharmalingam Ganesan
 
RSA without Integrity Checks
RSA without Integrity ChecksRSA without Integrity Checks
RSA without Integrity Checks
Dharmalingam Ganesan
 
Security of RSA and Integer Factorization
Security of RSA and Integer FactorizationSecurity of RSA and Integer Factorization
Security of RSA and Integer Factorization
Dharmalingam Ganesan
 
Analysis of Shared RSA Modulus
Analysis of Shared RSA ModulusAnalysis of Shared RSA Modulus
Analysis of Shared RSA Modulus
Dharmalingam Ganesan
 
RSA Game using an Oracle
RSA Game using an OracleRSA Game using an Oracle
RSA Game using an Oracle
Dharmalingam Ganesan
 
An Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eAn Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent e
Dharmalingam Ganesan
 

Recommandé

On the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysOn the Secrecy of RSA Private Keys
On the Secrecy of RSA Private Keys
Dharmalingam Ganesan
 
How do computers exchange secrets using Math?
How do computers exchange secrets using Math?How do computers exchange secrets using Math?
How do computers exchange secrets using Math?
Dharmalingam Ganesan
 
Computing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum AlgorithmsComputing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum Algorithms
Dharmalingam Ganesan
 
RSA without Integrity Checks
RSA without Integrity ChecksRSA without Integrity Checks
RSA without Integrity Checks
Dharmalingam Ganesan
 
Security of RSA and Integer Factorization
Security of RSA and Integer FactorizationSecurity of RSA and Integer Factorization
Security of RSA and Integer Factorization
Dharmalingam Ganesan
 
Analysis of Shared RSA Modulus
Analysis of Shared RSA ModulusAnalysis of Shared RSA Modulus
Analysis of Shared RSA Modulus
Dharmalingam Ganesan
 
RSA Game using an Oracle
RSA Game using an OracleRSA Game using an Oracle
RSA Game using an Oracle
Dharmalingam Ganesan
 
An Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eAn Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent e
Dharmalingam Ganesan
 
Analysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dAnalysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent d
Dharmalingam Ganesan
 
Solutions to online rsa factoring challenges
Solutions to online rsa factoring challengesSolutions to online rsa factoring challenges
Solutions to online rsa factoring challenges
Dharmalingam Ganesan
 
RSA without Padding
RSA without PaddingRSA without Padding
RSA without Padding
Dharmalingam Ganesan
 
Cyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionCyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor Function
Dharmalingam Ganesan
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
Shashank Shetty
 
1508.07756v1
1508.07756v11508.07756v1
1508.07756v1
Samir Crypticus
 
RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2
Fahad Layth
 
Data Security Using Elliptic Curve Cryptography
Data Security Using Elliptic Curve CryptographyData Security Using Elliptic Curve Cryptography
Data Security Using Elliptic Curve Cryptography
IJCERT
 
Spreading Rumors Quietly and the Subgroup Escape Problem
Spreading Rumors Quietly and the Subgroup Escape ProblemSpreading Rumors Quietly and the Subgroup Escape Problem
Spreading Rumors Quietly and the Subgroup Escape Problem
Aleksandr Yampolskiy
 
Crypto cs36 39
Crypto cs36 39Crypto cs36 39
Crypto cs36 39
sravanbabu
 
Implementation of RSA Algorithm for Speech Data Encryption and Decryption
Implementation of RSA Algorithm for Speech Data Encryption and DecryptionImplementation of RSA Algorithm for Speech Data Encryption and Decryption
Implementation of RSA Algorithm for Speech Data Encryption and Decryption
Md. Ariful Hoque
 
Al-Gamal-W6(al gamal)-d1-d2
Al-Gamal-W6(al gamal)-d1-d2Al-Gamal-W6(al gamal)-d1-d2
Al-Gamal-W6(al gamal)-d1-d2
Fahad Layth
 
Csr2011 june15 12_00_davydow
Csr2011 june15 12_00_davydowCsr2011 june15 12_00_davydow
Csr2011 june15 12_00_davydow
CSR2011
 
RSA algorithm
RSA algorithmRSA algorithm
RSA algorithm
Arpana shree
 
Network security CS2
Network security CS2Network security CS2
Network security CS2
Infinity Tech Solutions
 
Ntewrok secuirty cs7
Ntewrok secuirty cs7Ntewrok secuirty cs7
Ntewrok secuirty cs7
Infinity Tech Solutions
 
Number Theory In Cryptography
Number Theory In CryptographyNumber Theory In Cryptography
Number Theory In Cryptography
Aadya Vatsa
 
PKC&RSA
PKC&RSAPKC&RSA
PKC&RSA
Anver S R
 
Network security cs5
Network security cs5Network security cs5
Network security cs5
Infinity Tech Solutions
 
8 queens problem using back tracking
8 queens problem using back tracking8 queens problem using back tracking
8 queens problem using back tracking
Tech_MX
 
Ecc2
Ecc2Ecc2
Ecc2
manikandan varadharaju
 
Diffie hellman key exchange algorithm
Diffie hellman key exchange algorithmDiffie hellman key exchange algorithm
Diffie hellman key exchange algorithm
Sunita Kharayat
 

Contenu connexe

Tendances

Analysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dAnalysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent d
Dharmalingam Ganesan
 
Spreading Rumors Quietly and the Subgroup Escape Problem
Spreading Rumors Quietly and the Subgroup Escape ProblemSpreading Rumors Quietly and the Subgroup Escape Problem
Spreading Rumors Quietly and the Subgroup Escape Problem
Aleksandr Yampolskiy
 
Crypto cs36 39
Crypto cs36 39Crypto cs36 39
Crypto cs36 39
sravanbabu
 
Csr2011 june15 12_00_davydow
Csr2011 june15 12_00_davydowCsr2011 june15 12_00_davydow
Csr2011 june15 12_00_davydow
CSR2011
 
Number Theory In Cryptography
Number Theory In CryptographyNumber Theory In Cryptography
Number Theory In Cryptography
Aadya Vatsa
 
8 queens problem using back tracking
8 queens problem using back tracking8 queens problem using back tracking
8 queens problem using back tracking
Tech_MX
 

Tendances (20)

Analysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dAnalysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent d
 
Solutions to online rsa factoring challenges
Solutions to online rsa factoring challengesSolutions to online rsa factoring challenges
Solutions to online rsa factoring challenges
 
RSA without Padding
RSA without PaddingRSA without Padding
RSA without Padding
 
Cyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionCyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor Function
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
 
1508.07756v1
1508.07756v11508.07756v1
1508.07756v1
 
RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2
 
Data Security Using Elliptic Curve Cryptography
Data Security Using Elliptic Curve CryptographyData Security Using Elliptic Curve Cryptography
Data Security Using Elliptic Curve Cryptography
 
Spreading Rumors Quietly and the Subgroup Escape Problem
Spreading Rumors Quietly and the Subgroup Escape ProblemSpreading Rumors Quietly and the Subgroup Escape Problem
Spreading Rumors Quietly and the Subgroup Escape Problem
 
Crypto cs36 39
Crypto cs36 39Crypto cs36 39
Crypto cs36 39
 
Implementation of RSA Algorithm for Speech Data Encryption and Decryption
Implementation of RSA Algorithm for Speech Data Encryption and DecryptionImplementation of RSA Algorithm for Speech Data Encryption and Decryption
Implementation of RSA Algorithm for Speech Data Encryption and Decryption
 
Al-Gamal-W6(al gamal)-d1-d2
Al-Gamal-W6(al gamal)-d1-d2Al-Gamal-W6(al gamal)-d1-d2
Al-Gamal-W6(al gamal)-d1-d2
 
Csr2011 june15 12_00_davydow
Csr2011 june15 12_00_davydowCsr2011 june15 12_00_davydow
Csr2011 june15 12_00_davydow
 
RSA algorithm
RSA algorithmRSA algorithm
RSA algorithm
 
Network security CS2
Network security CS2Network security CS2
Network security CS2
 
Ntewrok secuirty cs7
Ntewrok secuirty cs7Ntewrok secuirty cs7
Ntewrok secuirty cs7
 
Number Theory In Cryptography
Number Theory In CryptographyNumber Theory In Cryptography
Number Theory In Cryptography
 
PKC&RSA
PKC&RSAPKC&RSA
PKC&RSA
 
Network security cs5
Network security cs5Network security cs5
Network security cs5
 
8 queens problem using back tracking
8 queens problem using back tracking8 queens problem using back tracking
8 queens problem using back tracking
 

Similaire à Active Attacks on DH Key Exchange

Demystifying Zero Knowledge Proofs [FINAL].pptx
Demystifying Zero Knowledge Proofs [FINAL].pptxDemystifying Zero Knowledge Proofs [FINAL].pptx
Demystifying Zero Knowledge Proofs [FINAL].pptx
RedWhite12
 

Similaire à Active Attacks on DH Key Exchange (20)

Ecc2
Ecc2Ecc2
Ecc2
 
Diffie hellman key exchange algorithm
Diffie hellman key exchange algorithmDiffie hellman key exchange algorithm
Diffie hellman key exchange algorithm
 
Demystifying Zero Knowledge Proofs [FINAL].pptx
Demystifying Zero Knowledge Proofs [FINAL].pptxDemystifying Zero Knowledge Proofs [FINAL].pptx
Demystifying Zero Knowledge Proofs [FINAL].pptx
 
P10co982 (2)
P10co982 (2)P10co982 (2)
P10co982 (2)
 
Rsa example
Rsa exampleRsa example
Rsa example
 
On deriving the private key from a public key
On deriving the private key from a public keyOn deriving the private key from a public key
On deriving the private key from a public key
 
Introduction to Elliptic Curve Cryptography
Introduction to Elliptic Curve CryptographyIntroduction to Elliptic Curve Cryptography
Introduction to Elliptic Curve Cryptography
 
Elliptic Curve Cryptography for those who are afraid of maths
Elliptic Curve Cryptography for those who are afraid of mathsElliptic Curve Cryptography for those who are afraid of maths
Elliptic Curve Cryptography for those who are afraid of maths
 
Rsa Algorithm
Rsa AlgorithmRsa Algorithm
Rsa Algorithm
 
lecture10.pdf
lecture10.pdflecture10.pdf
lecture10.pdf
 
Cyber Security Part-3.pptx
Cyber Security Part-3.pptxCyber Security Part-3.pptx
Cyber Security Part-3.pptx
 
Subtract integers
Subtract integersSubtract integers
Subtract integers
 
DISCRETE LOGARITHM PROBLEM
DISCRETE LOGARITHM PROBLEMDISCRETE LOGARITHM PROBLEM
DISCRETE LOGARITHM PROBLEM
 
Semana 14 ecuacion cuadratica álgebra-uni ccesa007
Semana 14 ecuacion cuadratica álgebra-uni ccesa007Semana 14 ecuacion cuadratica álgebra-uni ccesa007
Semana 14 ecuacion cuadratica álgebra-uni ccesa007
 
Zero Knowledge Proofs: What they are and how they work
Zero Knowledge Proofs: What they are and how they workZero Knowledge Proofs: What they are and how they work
Zero Knowledge Proofs: What they are and how they work
 
module4_dynamic programming_2022.pdf
module4_dynamic programming_2022.pdfmodule4_dynamic programming_2022.pdf
module4_dynamic programming_2022.pdf
 
With Math - Diffie-Hellman Rick.ppt
With Math - Diffie-Hellman Rick.pptWith Math - Diffie-Hellman Rick.ppt
With Math - Diffie-Hellman Rick.ppt
 
Other public key systems
Other public key systemsOther public key systems
Other public key systems
 
Cryptography-Diffie Hellman Key Exchange Algorithm.pptx
Cryptography-Diffie Hellman Key Exchange Algorithm.pptxCryptography-Diffie Hellman Key Exchange Algorithm.pptx
Cryptography-Diffie Hellman Key Exchange Algorithm.pptx
 
P1-Chp2-Quadratics.pptx
P1-Chp2-Quadratics.pptxP1-Chp2-Quadratics.pptx
P1-Chp2-Quadratics.pptx
 

Plus de Dharmalingam Ganesan

Plus de Dharmalingam Ganesan (17)

.NET Deserialization Attacks
.NET Deserialization Attacks.NET Deserialization Attacks
.NET Deserialization Attacks
 
Reverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdfReverse Architecting using Relation Algebra.pdf
Reverse Architecting using Relation Algebra.pdf
 
How to exploit rand()?
How to exploit rand()?How to exploit rand()?
How to exploit rand()?
 
An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)
 
Thank-a-Gram
Thank-a-GramThank-a-Gram
Thank-a-Gram
 
Can I write to a read only file ?
Can I write to a read only file ?Can I write to a read only file ?
Can I write to a read only file ?
 
Dependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private Variables
 
RSA Two Person Game
RSA Two Person GameRSA Two Person Game
RSA Two Person Game
 
Requirements driven Model-based Testing
Requirements driven Model-based TestingRequirements driven Model-based Testing
Requirements driven Model-based Testing
 
Automated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering TasksAutomated Traceability for Software Engineering Tasks
Automated Traceability for Software Engineering Tasks
 
RSA cracking puzzle
RSA cracking puzzleRSA cracking puzzle
RSA cracking puzzle
 
Reverse Engineering of Module Dependencies
Reverse Engineering of Module DependenciesReverse Engineering of Module Dependencies
Reverse Engineering of Module Dependencies
 
Software Architecture
Software ArchitectureSoftware Architecture
Software Architecture
 
Integer security analysis using smt solver
Integer security analysis using smt solverInteger security analysis using smt solver
Integer security analysis using smt solver
 
Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitRemote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profit
 
20170605135932210 thank you card7
20170605135932210 thank you card720170605135932210 thank you card7
20170605135932210 thank you card7
 
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleThreat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
 

Dernier

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Dernier (20)

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 

Active Attacks on DH Key Exchange

  • 1. Active Attacks on DH Key Exchange Dr. Dharma Ganesan, Ph.D.,
  • 2. Table of Contents ● Objectives of the presentation ● Cryptography problem - Secret Key Exchange ● Cryptanalysis - How to break the crypto system ● Open problems ● Conclusion 2
  • 3. Objectives ● Demonstrate how the basic Diffie-Hellman (DH) key exchange works ● Demonstrate how an active attacker can edit DH parameters ● Demonstrate how the man-in-the-middle obtains the shared secret key ○ when DH is used without digital signature 3
  • 4. Alice Encrypts - Eve sees gibberish - Bob Decrypts 4 Hello Bob Encryption Algorithm (open to all) Secret key K 01534236 Secret Key K Decryption Algorithm (open to all) Hello Bob Note: The same secret key K is used by encryption and decryption algorithms Kerckhoff’s principle: The enemy (Eve) knows the encryption and decryption algorithms, but not the key
  • 5. Problem: sender and receiver need the same key 5 Key K Key K ● Alice and Bob are too far away from each other ● They never met each other ● They cannot exchange the secret key publicly (Eve is listening) ● How can they arrive at the same secret key K?
  • 6. 6 We have been (unknowingly) using the mod notation Let’s go to bed @ 21 hour 21 ≡ 9 (mod 12) Note: When 21 is divided by 12, 9 is the remainder What is 5*8 on this clock? 5*8 = 40 ≡ 4 (mod 12) Gauss developed the theory of modular arithmetic
  • 7. 7 Cryptographers love mod and primes Cryptographers view this clock as follows: Z* 13 = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12} They use mod 13, which is a prime number Z* p = {1, 2, 3, …, p-1} i 1 2 3 4 5 6 7 8 9 10 11 12 2i 2 4 8 3 6 12 11 9 5 10 7 1 For example, 24 ≡ 3 (mod 13) 2 is a generator of this clock because it generates all hours from 1..12
  • 8. Why cryptographers use mod and one-way functions? 8 ● In a clock, patterns are not that obvious to detect for Eve ● For example, 26 is greater than 27 in mod 13 ● Some problems are difficult to answer (without seeing the below table) ● For example, 2i ≡ 11 (mod 13), can you quickly find the i? i 1 2 3 4 5 6 7 8 9 10 11 12 2i 2 4 8 3 6 12 11 9 5 10 7 1 E a s y H a r d Cryptographers use one-way functions: Easy in one direction, but hard the other
  • 9. Power rule of exponents (23 )4 = (23 )(23 )(23 )(23 ) = 212 (24 )3 = (24 )(24 )(24 ) = 212 So, (23 )4 = (24 )3 In general, (g𝑥 )𝑦 = (g 𝑦 )𝑥 = (g 𝑥𝑦 ) [Proof: Exercise] 9
  • 10. Diffie-Hellman Key Exchange Algorithm ● In 1970s, they solved the problem of key exchange! ○ Using an one-way function (easy to compute, hard to reverse) ● Alice and Bob arrive at a shared secret key k ○ Using the power rule of exponents (no courier service) ● Eavesdropper Eve cannot easily derive the secret key k ○ Takes billions of years to solve by computers (at this time of writing) ● Diffie, W., and Hellman, M. New directions in cryptography ○ IEEE Trans. Inform. Theory IT-22, 6 (Nov. 1976), 644-654 10 Prof. Hellman (H) Diffie (D)
  • 11. 11 Double the hours 5 times (i.e., 25 mod 13) Double the hours 4 times (i.e., 24 mod 13) Send the clock to Bob Send the clock to Alice Key Exchange - Visual Demo Triple the hours 5 times (i.e., 35 mod 13) Sixfold the hours 4 times (i.e., 64 mod 13) Both Alice and Bob arrive at the same key (9) Note: 5 and 4 are secrets
  • 12. 12 Pick a random number 𝑥 Pick a random number 𝑦 Compute A = g𝑥 mod p Compute B = g𝑦 mod p Secret K = B𝑥 mod p Secret K = A𝑦 mod p Send A to Bob Send B to Alice Both Alice and Bob have the same secret key Eve sees A and B, but not 𝑥, 𝑦, or K Key Exchange Algorithm - Core Idea (assume that g and p are public)
  • 13. 13 Pick a random number 𝑥 = 5 Pick a random number 𝑦 = 4 Compute A = 25 mod 13 Compute B = 24 mod 13 Secret K = 35 mod 13 = 9 Secret K = 64 mod 13 = 9 Send A = 6 to Bob Send B = 3 to Alice Both Alice and Bob have the secret key 9 DH Key Exchange - Example (g=2, p=13)
  • 14. 14 How can Eve recover the secret key K? Option 1: ● Eve knows that the secret key can be in {1, 2, … 12} ● She can just try 12 possibilities to decrypt messages i 1 2 3 4 5 6 7 8 9 10 11 12 2i 2 4 8 3 6 12 11 9 5 10 7 1 Option 2: ● Eve builds the above table and solves B = g𝑦 mod p ● For example, B = 6 means secret 𝑦 = 5 Other Options?
  • 15. Cryptographers use a very large clock to trick Eve 15 ● Prime p is made of at least 600 digits or so (in 2019) ○ p shall satisfy more properties (not covered here) ● Difficult for Eve to construct the table of all possibilities ● Eve will have to live for several billion years to break it ● Or, she must solve some cool problems (next slide) p-1
  • 16. Some cool problems to solve 16 ● Problem 1: Given B, g, and p, efficiently find y such that B = g𝑦 mod p ● Problem 2: Given g𝑥 mod p and g𝑦 mod p, find g𝑥𝑦 mod p ○ The exponents 𝑥 and 𝑦 are not known to Eve, of course ● Problem 3: Find the prime factors p and q of N such that N = p*q ○ I did not talk about this problem in this presentation ○ See https://www.slideshare.net/dganesan11
  • 17. Let’s give more power to Eve 17 ● Let’s allow Eve to edit DH parameter g ● In particular, Eve will choose g from {1, p, p-1} ● Similarly, let’s allow Eve to edit the public keys A and B of Alice and Bob ● We will show that in all these cases Eve can recover the secret key K
  • 18. 18 Pick a random number 𝑥 Pick a random number 𝑦 Compute A = g𝑥 mod p = 1 Compute B = g𝑦 mod p = 1 Secret K = B𝑥 mod p = 1 Secret K = A𝑦 mod p = 1 Send A = 1 to Bob Send B = 1 to Alice Eve replaced the g by 1 Eve knows the secret key K = 1 Case 1: Eve fixed the generator g = 1
  • 19. 19 ~/crypto$ p=13 ~/crypto$ g=1 ~/crypto$ java -ea Basic_DH $p $g *** Secret Session Key = ****1 ● p = 13 and g=1 ● Eve learns that the secret key must be one
  • 20. 20 Pick a random number 𝑥 Pick a random number 𝑦 Compute A = p𝑥 mod p = 0 Compute B = p𝑦 mod p = 0 Secret K = B𝑥 mod p = 0 Secret K = A𝑦 mod p = 0 Send A = 0 to Bob Send B = 0 to Alice Eve replaced the g by p Eve knows the secret key K = 0 Case 2: Eve fixed the generator g = p
  • 21. 21 ~/crypto$ p=13 ~/crypto$ g=13 ~/crypto$ java -ea Basic_DH $p $g *** Secret Session Key = ****0 ● p = 13 and g=13 ● Eve learns that the secret key must be zero
  • 22. 22 Pick a random number 𝑥 Pick a random number 𝑦 Compute A = (p-1)𝑥 mod p Compute B = (p-1)𝑦 mod p Secret K = B𝑥 mod p = 1 Secret K = A𝑦 mod p = 1 Send A to Bob Send B to Alice Eve replaced the g by p-1 Eve knows the secret key K = 1 or K = p-1 Case 3: Eve fixed the generator g = p-1
  • 23. g = p-1 23 ● Eve replaces g by p-1 ● Alice will compute her public key: A = gx mod p = (p-1)x mod p ● Bob will compute his public key: B = gy mod p = (p-1)y mod p ● Both Alice and Bob will arrive at K = (p-1)xy mod p ● If x (or y) is even, then K = (p-1)xy mod p = 1 ● If x and y are odd, then K = (p-1)xy mod p = (p-1) ● So, Eve learned the secret key K can be either 1 or (p-1)
  • 24. 24 ~/crypto$ p = 13 ~/crypto$ g = 12 ~/crypto$ java -ea Basic_DH $p $g *** Secret Session Key = ****1 ~/crypto$ java -ea Basic_DH $p $g *** Secret Session Key = ****12 ● p = 13 and g=12 ● Eve learns that the secret key must be 1 or p-1
  • 25. 25 Let’s allow Eve to edit public keys A and B only
  • 26. Case 1: What if Eve sets public keys A and B to p? 26 ● Recall that Alice and Bob send their public keys on the public channel ● What if Eve intercepts and modifies the public keys? ● Case 1: For example, Eve replaces the public keys as follows: ○ Eve replaces Alice’s public key A by p ○ Eve also replaces Bob’s public key B by p ● Alice will compute the private key: K = Ax mod p = px mod p = 0 ○ K = 0 because px divides p ○ Similarly, Bob will compute the private key: K = Bx mod p = px mod p = 0 ● Eve knows the secret key K = 0
  • 27. 27 Pick a random number 𝑥 Pick a random number 𝑦 Compute A = g𝑥 mod p Compute B = g𝑦 mod p Secret K = p𝑥 mod p = 0 Secret K = p𝑦 mod p = 0 Send p to Bob Send p to Alice Eve replaced the public keys A and B by p Eve knows the secret key K = 0 Case 1: Eve edits the public keys A and B by p
  • 28. Case 2:What if Eve sets public keys A and B to p-1? 28 ● Eve replaces the public keys A and B to p-1 ● Alice will compute the private key: K = Ax mod p = (p-1)x mod p ● If the unknown x is even, then K = (p-1)x mod p = 1 ● If the unknown x is odd, then K = (p-1)x mod p = (p-1)x-1 (p-1) mod p = (p-1) ● So, Eve learned the secret key K can be either 1 or (p-1)
  • 29. 29 Pick a random number 𝑥 Pick a random number 𝑦 Compute A = g𝑥 mod p Compute B = g𝑦 mod p Secret K = (p-1)𝑥 mod p Secret K = (p-1)𝑦 mod p Send (p-1) to Bob Send (p-1) to Alice Eve replaced the public keys A and B by p-1 Eve knows the secret key K =1 or (p-1) Case 2: Eve edits the public keys A and B by p-1
  • 30. 30 ~/crypto$ echo $p 13 ~/crypto$ echo $g 2 ~/crypto$ echo $MiTm true ~/crypto$ java -ea Basic_DH $p $g $MiTm *** Secret Session Key = ****12 ~/crypto$ java -ea Basic_DH $p $g $MiTm *** Secret Session Key = ****1 ~/crypto$ java -ea Basic_DH $p $g $MiTm Exception in thread "main" java.lang.AssertionError at Basic_DH.main(Basic_DH.java:70) ● p = 13 and g=2 ● Eve learns that the secret key can be either 1 or 12 only ● However, Alice and Bob may notice that something is wrong because the shared secret key may be different ● For example, Alice’s K = 1 and Bob’s K = 12 ● My demo program throws an exception if Alice and Bob have different secret keys
  • 31. Conclusion 31 ● If we allow Eve to edit g, then she can fix the secret key! ● Usually, in practice, the value of g and p are hard-coded ● Nevertheless, it is interesting to see what Eve can do if we allow her to edit g ● Demo shows that by editing the public keys, the secret key is exposed ● DH key exchange algorithm should not be used without digital signature ● Otherwise, man-in-the-middle can alter DH parameters and public keys ● These active attacks were part of Crypto exercise problems ○ (e.g., Textbooks and online cryptopal challenge set 5)
  • 32. Appendix - Proof of concept (not for production use) 32
  • 33. 33 public class Basic_DH { private BigInteger p = BigInteger.valueOf(2); private BigInteger g = BigInteger.valueOf(2); public Basic_DH(BigInteger p, BigInteger g) { this.p = p; this.g = g; } private Basic_DH(){} public BigInteger generatePublicKey(BigInteger privKey) { return g.modPow(privKey, p); } public BigInteger generatePrivKey() { while(true) { BigInteger privKey = new BigInteger(p.bitLength(), new SecureRandom()); if(privKey.compareTo(p) < 0) return privKey; } } public BigInteger generateSessionKey(BigInteger pubKey, BigInteger privKey) { return pubKey.modPow(privKey, p); } }
  • 34. 34 BigInteger p = new BigInteger(args[0]); BigInteger g = new BigInteger(args[1]); if(args.length > 2) { MitM_Param_Injection = Boolean.parseBoolean(args[2]); } Basic_DH dh = new Basic_DH(p, g); BigInteger x = dh.generatePrivKey(); BigInteger A = dh.generatePublicKey(x); BigInteger y = dh.generatePrivKey(); BigInteger B = dh.generatePublicKey(y); if(MitM_Param_Injection) { B = p.subtract(BigInteger.ONE); A = p.subtract(BigInteger.ONE); } BigInteger alice_sk = dh.generateSessionKey(B, x); BigInteger bob_sk = dh.generateSessionKey(A, y); assert alice_sk.equals(bob_sk); System.out.println("*** Secret Session Key = ****" + alice_sk);