@@ -366,9 +366,12 @@ useful to communicate securely without being sure whom you’re
366366communicating with, Diffie-Hellman is usually augmented in some way to
367367provide authentication. Diffie-Hellman is used in both the
368368Internet Key Exchange (IKE) protocol, a part of the IP Security
369- (IPsec) architecture, and in Transport Layer Security (TLS).
369+ (IPsec) architecture, and in Transport Layer Security (TLS). We start
370+ our discussion with the basic principles underlying Diffie-Hellman and
371+ work our way through the steps that are required to make it robust
372+ enough for use in today's systems.
370373
371- The Diffie-Hellman protocol has two parameters, *p * and *g *, both of
374+ The original Diffie-Hellman protocol has two parameters, *p * and *g *, both of
372375which are public and may be used by all the users in a particular
373376system. Parameter *p * must be a prime number. The integers
374377:math: `\bmod p` (short for modulo *p *) are :math: `0 ` through *p-1 *,
@@ -468,16 +471,16 @@ Bob is able to compute
468471:math: `(2 ^a \bmod 5 )`.
469472Both Alice and Bob now agree that the secret key is :math: `1 `.
470473
471- There is the problem of Diffie-Hellman’s lack of authentication. One
472- attack that can take advantage of this is the * man-in-the-middle
473- attack *. Suppose Mallory is an adversary with the ability to intercept
474- messages. Mallory already knows *p * and *g * since they are public, and
475- she generates random private values :math: `c` and :math: `d` to use
476- with Alice and Bob, respectively. When Alice and Bob send their public
477- values to each other, Mallory intercepts them and sends her own public
478- values, as in :numref: `Figure %s < fig-manInTheMiddle >`. The result is
479- that Alice and Bob each end up unknowingly sharing a key with Mallory
480- instead of each other.
474+ As described above, Diffie-Hellman’s lack of authentication makes it
475+ vulnerable to various attacks. One such attack is the
476+ * man-in-the-middle attack
477+ ability to intercept messages. Mallory already knows *p * and *g * since
478+ they are public, and she generates random private values :math: `c` and
479+ :math: `d` to use with Alice and Bob, respectively. When Alice and Bob
480+ send their public values to each other, Mallory intercepts them and
481+ sends her own public values, as in :numref: `Figure %s
482+ <fig-manInTheMiddle>`. The result is that Alice and Bob each end up
483+ unknowingly sharing a key with Mallory instead of each other.
481484
482485.. _fig-manInTheMIddle :
483486.. figure :: figures/f08-12-9780123850591.png
@@ -486,35 +489,35 @@ instead of each other.
486489
487490 A man-in-the-middle attack.
488491
489- A variant of Diffie-Hellman sometimes called * fixed Diffie-Hellman *
490- supports authentication of one or both participants. It relies on
491- certificates that are similar to public key certificates but instead
492- certify the Diffie-Hellman public parameters of an entity. For example,
493- such a certificate would state that Alice’s Diffie-Hellman parameters
494- are *p, g *, and :math: `g^a \bmod p`
495- (note that the value of *a * would still be known only to Alice). Such
496- a certificate would assure Bob that the other participant in
497- Diffie-Hellman is Alice—or else the other participant won’t be able to
498- compute the secret key, because she won’t know *a *. If both participants
499- have certificates for their Diffie-Hellman parameters, they can
500- authenticate each other. If just one has a certificate, then just that
501- one can be authenticated. This is useful in some situations; for
502- example, when one participant is a web server and the other is an
503- arbitrary client, the client can authenticate the web server and
504- establish a secret key for confidentiality before sending a credit card
505- number to the web server.
506-
507- A further variant of Diffie-Hellman, which is used in TLS, is called
508- * ephemeral * Diffie-Hellman. Like the fixed variant, it relies on at
492+ It is possible to address the immediate problem of man-in-the-middle
493+ attacks by authenticating one or both participants. We can do this
494+ using certificates that are similar to public key certificates but
495+ instead certify the Diffie-Hellman public parameters of an entity. For
496+ example, such a certificate would state that Alice’s Diffie-Hellman
497+ parameters are *p, g *, and :math: `g^a \bmod p` (note that the value of
498+ *a * would still be known only to Alice). Such a certificate would
499+ assure Bob that the other participant in Diffie-Hellman is Alice—or
500+ else the other participant won’t be able to compute the secret key,
501+ because she won’t know *a *.
502+
503+ The approach we have just described, known as * fixed * Diffie-Hellman,
504+ is not widely recommended in practice because it lacks * forward
505+ secrecy *. If the long-lived private key of Alice were to be
506+ compromised at some point, past sessions that had been recorded by an
507+ attacker would then be potentially at risk. For this reason, another
508+ approach known as * ephemeral * Diffie-Hellman is widely used, notably
509+ in TLS.
510+
511+ Like the fixed variant, ephemeral Diffie-Hellman relies on at
509512least one participant having a certificate issued by a CA, but in this
510513case it certifies that Alice is associated with a given public key
511514(e.g., an RSA key). Alice then generates an ephemeral value of *a *
512515rather than a fixed one, and uses her private key to sign the Diffie
513516Hellman parameters: *p, g *, and :math: `g^a \bmod p`. By providing the
514517certificate and the signed value, Alice is able to show Bob that the
515- message has really come from her and authenticate the Diffie-Hellman
518+ message has really come from her and to authenticate the Diffie-Hellman
516519parameters, while still keeping *a * secret. Unlike fixed
517- Diffie-Hellman, this approach provides * forward secrecy *, meaning that
520+ Diffie-Hellman, this approach provides forward secrecy:
518521even if the long-lived private key of Alice were to be compromised,
519522past sessions that had been recorded by an attacker will still be
520523secure, since they used ephemeral keys that changed with every
@@ -524,3 +527,11 @@ specifications to apply to cases where authentication is also
524527performed using a public key as we have described it here. To avoid
525528confusion, the original form of Diffie-Hellman that lacks
526529authentication is often referred to as "anonymous" mode.
530+
531+ Finally, we note that if both participants have been issued
532+ certificates, they can authenticate each other. If just one has a
533+ certificate, then just that one can be authenticated. One-way
534+ authentication is commonly used on the web; for example, when one
535+ participant is a web server and the other is an arbitrary client, the
536+ client can authenticate the web server and establish a secret key for
537+ confidentiality before sending a credit card number to the web server.
0 commit comments