Computer Security Laboratory Concordia Institute for Information Systems Engineering Concordia University, Montreal (QC), Canada

Transcription

1 2005 Intenational Confeence on Wieless Netwoks, Communications and Mobile Computing Impoving the Diffie-Heliman Secue Key Exchange P. Bhattachaya, M. Debbabi and H. Otok Compute Secuity Laboatoy Concodia Institute fo Infomation Systems Engineeing Concodia Univesity, Monteal (QC), Canada Abstact-Diffie-Hellman (DH) is a well-known cyptogaphic algoithm used fo secue key exchange. The fist appeaance of DH was in 1976 (2]. The algoithm allows two uses to exchange a symmetic secet key though an insecue wied o wieless channel and without any pio secets. DH woks unde the domain of integes Zn whee n = p. Hee, p and a ae the two paametes of DH whee p is a lage pime numbe and a is a geneato selected fom the cyclic goup Zn. In this pape, we popose two modifications of DH. The fist modification is to change the domain to intege with n=2pt whee Zn is still cyclic and the second modification is to change the domain to Gaussian aithmetic Z [i]. Afte implementing the thee algoithms we found that the symmetic key size deived fom the two modified algoithms is much geate than the classical one. Moeove, attacking the two modified algoithms using Pohlig-Hellman algoithm, using the same pime value p and pivate value a o b, needs much moe time than the classical one. Index Tems- Diffie-Heliman, Wieless netwoks, Pohlig- Hellman and Gaussian Intege. I. INTRODUCTION Diffie Hellman (DH) allows two uses to exchange a symmetic secet key though an insecue wied o wieless [9,10] channel and without any pio secets [5]. DH is widely used in many cyptogaphic potocols such as Secue Socket Laye (SSL), Secue Shell (SSH) and IP Secuity (IPSec) [1]. Modifing the secuity of DH means impoving the secuity of the potocols that use DH. DH woks unde the domain of intege Zn whee n p. P and = a ae the two paametes of DH whee p is a lage pime numbe and a is a geneato selected fom the cyclic goup Zn. Two pincipals A and B can use the DH algoithm to exchange a symmetic key. The pincipal A chooses a pivate value a, then it chooses a lage andom pime P and a geneato a. The public key of A is (p,a, a') and the pivate key is a. A sends its public key to B. Afte eceiving A's public key, B chooses its own pivate key b and computes its public key (p,a, ab). B sends its public key to A. Now A and B computes thei symmetic key [3]. Two modifications of DH ae pesented in this pape. The fist modification is unde the domain of intege with n=2pt whee Zn is still cyclic and the second modification is unde the domain of Gaussian aithmetic Z*[i]. We implemented the thee algoithms using Mathematica 4.0 unde Pentium 4 pocesso unning at a fequency of {pabi, debbabi, h_otok}@ciise.concodia.ca /05/$ IEEE GHz with 256 MB of RAM. We found that the symmetic key size deived fom the two modified algoithms is geate than the classical one. Moeove, testing the secuity of the modified algoithms is a big issue that let us implement thee diffeent attack algoithms such as: Baby-step Giant-step, Pollad's Rho, Pohlig-Hellman [7]. Afte implementing the thee methods we found that Pohlig-Hellman algoithm needs less time, compaed to the othe methods, to compute the discete logaithm poblem that DH depends on. Fo this eason, we used Pohlig-Hellman algoithm to test the secuity of the thee algoitms. Attacking the two modified algoithms, using the same pime value p and pivate value a o b fo all the algoithms, needs much moe time than the classical one. This pape is oganized as follows: Section 2 descibes the Mathematical backgound. Section 3 pesents the classical and modified DH. Section 4 descibes Pohlig-Hellman algoithm used fo attacking the algoithms. Section 5 descibes an evaluation of the thee algoitms. Section 6 shows the time needed to attack the algoithms. Section 7 illustates the DH potocol used ove wieless netwoks with its possible attacks. A conclusion is dawn in section 8. II. MATHEMATICAL BACKGROUND In this section, we will pesent the mathematical backgound needed fo the modified algoithms [4, 6, 7]. A. Goups Definition 1: A binay opeation (*) on a set G is a function that assigns to each pai of elements a and b in G a Unique a * b in G. Binay opeations ae denoted by: *,-, +, o, (D, 0. In case of '... the element a * b may be a.b fo simplicity, and the opeation is said to be witten in the multiplicative notation. In case of "+", the opeation is witten in additive notation. Definition 2: A goup (G, *) consists of a set G with a binay opeation * on G satisfying the following thee axioms: 1) The goup opeation is associative. That is, a * (b * c) = (a * b) * c fo all a,b,c E G. 2) Fo all a E G, thee is an identity element e o 1 E G suchthat: a * e = e * a = a. 3) Fo a E G, thee is an element b E G which is called the invese of a and denoted by a-, such that: a * b=b * a=e o

2 4) A goup G is an abelian if: a * b = b * a fo all a,b E G (commutative) The above ae witten in multiplicative notations. If the goup opeation is addition, then the goup is said to be an additive goup, the identity element is denoted by 0, and the invese a is denoted by -a. So the additive goup will be in this fom: 1) a+(b+c)=(a+b)+c 2) a+0=o+a=a 3) a+b=b+a=0 (& b=-a). Definition 3: A goup G is finite if the set G has a finite numbe of elements. The ode of G is the numbe of elements in the goup and denoted by IGI. Definition 4: (ode) Let G be a goup and a e G. The ode of a is defined to be the least positive intege t such that at=l. If t does not exist, then the ode of a is defined to be oo. B. Cyclic Goup Definition 5: (The multiplicative goup) The set Un is the multiplicative goup of Zn of ode 4P(n), which is defined as follows: Un={[a]EZn : GCD(a,n) = 1} Definition 6: A goup G is cyclic if thee is an element a e G suchthat fo each b e G thee is an intege i with b= oa. Such that an element a is called a geneato of G. Example 7: U1 =1 1,2,3,4,5,6,7,8,9, 10},by taking any element fom Ul,we have: (2){20, 21, 22, 23 2, 2, 26, 27, 28, 29 }={ 1,2,4,8,5,10,9,7,3,6}=U11. Theefoe,U11 is cyclic. Theoem 8: (Othe Geneatos of a cyclic goup) Let G =(a), then ak is a geneato iff GCD(n, k) = 1 whee 1 < k < n and n=igi=l (a) 1. Coollay 9: If Un is cyclic goup then the numbe of geneatos of U11 is (D4I(n)). Theoem 10: (Kenneth) U1 is cyclic iff n=2; 4; P'; o 2P1, whee P is an odd pime and a is any intege geate than zeo. 1) All Zn ae cyclic (fo all n), but not all Un ae cyclic (not fo all n). 2) Un=={ [a] e Z, GCD(a,n)=I }. If n =p, whee p is a pime numbe, then Up=Zp-{0),whee U, is the set of the invetible elements in Z, 3) The numbe of elements in U. =4(n), 1U.1 = 4(n) and Znl=jn. 4) The numbe of geneatos: In Zn is 4b(n). In Un is '(1Q(n)). Notation 1]: The function 4>(n) is called the Eule Phi Function. - If n = p, whee p is pime, then Up=Zp and (n) =p-1. - If n P l.p2 2...pn is the pime factoization of n, then (n)p -'.(P1-1).P21*(P2-1)..Pn.(Pn-1). Example 12: Fo U13: - U13={ 1,2,3,4,5,6,7,8,9,10,11, The ode of the multiplicative goup U13 is ju13 j=(13)=13-l=12. - U13 is cyclic, because n=13 is pime intege (By Theoem). - The numbe of the geneatos of U13 = 4I(l 2) = 4(22 x 3) = 2(2-1)(2 1)3(1-1)(3-1)=4. - The following steps ae used to find the geneatos of U13 using the divisos of 4(13)=12. 1) The divisos of 12 ae 1,2,3,4,6,12. 2) Choose any element fom the multiplicative goup U13. 3) 21=2; 22=4; 23=8; 24 =3 (mod 13); 26=12(mod 13); 2l2=144_ 1 (mod 13). Theefoe, 2 is a geneato since the ode of the element 2 121=12=lUl31 is the same as the ode of U13. The othe geneatos ae computed as follows: - ak (mod 13) whee (k,12)=1, k=1,2,...,12. - Fo a=2, the geneatos ae: 21,25,27,211 (mod 13). OR: 1) The pime divisos of 12 ae: 2,3. 2) Choose any element fom the multiplicative goup U13. 3) 212=26=12#1 and 2132=24=3#41 (mod 13). Theefoe, 2 is a geneato since the element 2 p :A 1 fo all pime divisos of n, so 121=12=1U131 is the same as the ode of U13. The othe geneatos can be found in the fom: ak (mod 13) whee (k,12)=1, k=l,2,...,12. Fo a=2, the geneatos ae: (mod 13). Example 13: Fo U8: - U8={ 1,3,5,7}, - The ode of the multiplicative goup U8 is lu81 =b(8)= (23)=2(3-1) (2-1)=4. - U8 is not cyclic, because n=8=23 is not satisfying the conditions of the theoem. Theefoe, U8 is not cyclic. C. Gaussian Intege Finding the geneatos in the case of Gaussian intege will be illustated though out the following example. Example 14: In Z3[i]={a+ ib: a,b E Z3}= {0, 1, 2, i, 2i, i+1, i+2,2i+1,2i+2} The multiplicative goup Z* is cyclic, since 3 can be witen in the fom 4k+3 whee k=0. To find the geneatos of the cyclic goup Z3[i], we will go though the following steps: 1) Divisos of 8 ae 1,2,4,8. 2) Choose any element fom the multiplicative goup Z3 [i]. 3) (1+ i)2= 2i (mod 3); (l+i)4= 2i. 2i- -4-2(mod 3); (1+i)8=4u- 1(mod 3) Theefoe, (1 +i) is a geneato since the ode of the element (1+i) 1(1+i)l=8= IZ*[i]l is the same as the ode of Z*[i]. The othe geneatos can be found in the fom: {akmod3: GCD(k,8)=1 whee 1 < k < 8 and a is a geneato}. Fo a=(l+i), the geneatos ae : (1+i)I, (1+i)3,(l +i)5, (l+i)7 (mod 3). III. CLASSICAL AND MODIFIED DH In this section, we will pesent the Classical DH [2], the modified DH in the same domain of integes with n=2ptand DH in the domain of Gaussian integes. 194

3 A. Classical DH Method The steps of the Diffie-Hellman algoithm ae as follows: 1) Key Geneation: a) Geneate a lage andom pime intege p and a geneato a of the multiplicative goup Up. b) Select a andom intege a and b 1 < a, b < p - 1 fo entity A and B, then compute x = a' (mod p) and y=ab (mod p). c) Boadcast the public key of A and B whee A's public 2) A computes the symmetic key ka=ya (mod p) and B computes the symmetic key kb=xb(mod p). Example 15: - p =71 - The geneato a = 69 - Picking intege a: a = 29 - Picking intege b: b = 40 - Computing a a = 61 - Computing ab = 32 - Public Key of A is (x, a, p) = 161, 69, Public Key of B is (y, a, p) ={32, 69, Ka =32 - Kb =32 B. Modified DH in 2pt Diffie Hellman public-key encyption scheme depends on the fact that the goup selected is cyclic. Kenneth theoem [6] said that the multiplicative goup Un is cyclic iff n is eithe 2, 4, pt, o 2pt, whee p is an odd pime and t > 1. 1) Key Geneation: a) Geneate a lage andom n = 2pt and a geneato a of the multiplicative cyclic goup U,. b) Select a andom intege a and b 1 < a, b < &1(n) fo entity A and B, then compute x = Ca (mod n) and y=aeb (mod n). c) Boadcast the public key ofa and B whee A's public 2) A computes the symmetic key ka=ya (mod n) and B computes the symmetic key kb=xb(mod n). Example 16: - P= 11, t=3 - Picking n= The geneato a= Picking intege a =351 - Picking intege b = 16 - Computing aa= Computing a b=885 - Public Key of A is (x, a, n) = 12129,2657, Public Key of B is (y, a, n) ={ 885,2657, Ka = Kb =1347 C. Modified DH in Zn [i] The classical method of DH public-key encyption scheme is extended to the domain of Gaussian intege. We choose a Gaussian pime intege 13 to be a lage pime intege p of the fom 4k+3 so that G3={a + i b: 0 < a, b < p-i },whee the numbe of elements in Gf is q(w) = p2 and in G, is 1D(,3)=p2-i (whee 4 is the Eule phi function). 1) Key Geneation: a) Geneate a lage andom n =/3, which is in the fom 4k+3 and a geneato a of the multiplicative cyclic goup U[Zn[i]J=Zn[i]. b) Select a andom intege a and b, 1 < a, b < P(n) fo entity A and B, then compute x = &a (mod 13) and y=ab (mod,3). c) Boadcast the public key of A and B whee A's public 2) A computes the symmetic key ka=ya(mod 1) and B computes the symmetic key kb=xb(mod,8). Example 17: - Choose a pime intege 1= 83 - Mod[83, 4]=3 - The geneato a= Picking intege a = Picking intege b = Computing aa= Computing a b= Public Key ofa is (x, a, n) = , I, 831 -Public KeyofBis(y,a,n)={34+751,82+731,83} -Ka= Kb= Ka=(14+291)* (14-29I)=1037 -Kb=(14+29I)*(14-29I)=1037 IV. POHLIG-HELLMAN ALGORITHM The Pohlig-Hellman algoithm [8] fo computing discete logaithms takes advantage of the factoization of the ode D(n) of the goup G. Let 4>(n) = 1P p elp12 p2... ~ ep be the pimefc factoization of n. If x = log(, 13, then the appoach is to detemine xi = x(modpi'i) fo 1 < i <, and then use Gausss algoithm to ecove x(mod n). Each intege xi is detemined by computing the digits 10,11,..., l,i in tun of its pi-ay epesentation: Xi lo+pi lei_ipel whee 0lj < P-1.The Pohlig-Hellman algoithm is as follows: Pohlig-Hellman algoithm INPUT: a geneato a of a cyclic goup G of ode 4.(n), and an element13 E G. OUTPUT: the discete logaithm x I log,,3 1) Find the pime factoization of 4?(n): (J(n) = pelpe2 pe, whee ei > 1. 2) Fo i fom 1 to, do the following: (Compute xi = lo + lipi leippei-1, whee xi = x (modpei). 2.1 (Simplify the notation) Set q = pi and e = ei. 2.2 Sety=1 and-1 = Compute 7e -= n/q. 2.4 (Compute the lj) Fo j fom 0 to e - 1 do the following: Compute -y = yijq3land -= (13,-l)n/qj+l Compute ij = log Set xi = lo + 11q le1q- 3) Use Gausss algoithm (stated in the next chapte in the pogam) to compute the intege x, 0 < x < (4(n) - 19 such that x _ xi (modp"i) fo 1 < i <.

4 4) Retun(x). The example below illustates Pohlig-Hellman algoithm with atificially small paametes. Example 18: Let p = The element a = 4184 is a geneato of Z643129, of ode td(n) = p - 1 = Conside,8 = By using Pohlig-Hellman algoithm fo logaithms in Z the discete logaithm x = log is computed as follows. 1) The pime factoization of 4?(n) is = 23 x x x 2) Apply step 2 to find the values xi's fo i = 1,2,3 and 4 as follows: a) To findx= x(mod23) = lo , we compute (i) <i = a12 (modp) = (ii) Compute -y = 1 and:l = (3-y-1)12 (modp) = Then using the exhaustive seach to compute lo = log = 1. (iii) Compute -y =-yal(modp) = 4184 and = (07-")44(modp) = Then using the exhaustive seach to compute 10 = log = 1. (iv)compute -Y = -ya12(modp) = and 1 = (3y- ) 7 (modp) = Then using the exhaustive seach to compute lo = log = 1. Hence, x1 = 1o =1 +1 x x 22= 7. b) To find x2 = x(mod 3), we compute a! a 3 (modp) = and3 = 33 (modp) = 1. Then using the exhaustive seach to compute X2 = log = 3- c) To find X3 = x(mod 127), we compute ci = a1!27(mod p) = and,b =8/T7(mod p) = Then using the exhaustive seach to compute X3 = log = 121. d) To find X4 = x(mod211), we compute a = a-2' (modp) = and: = /3lT (modp) = Then using the exhaustive seach to compute X4 = log = ) Finally, use the Chinese emainde theoem to find the solution x, 0 < x < , of the system of conguences x 7 (mod2) x 3 (mod 3) x 121 (mod 127) x 118 (mod 211) to get the intege x = log = Note: Given the factoization of 4)(n), the unning time of the Pohlig-Hellman algoithm is O(Eei(lgI(n) + VI/)) goup multiplications. Symmetic Key value with p=4831 Fig. 1. Symmetic Key Geneation V. EVALUATION OF THE METHODS In ode to compae the thee diffeent algoithms let us take the same value fo the pime numbe p, pivate key a, and pivate key b. Let us take as an example p=4831, a=4646, and b=4571. It is clealy shown fom Figue 1. that the classical DH geneates a symmetic key of size 12 bits. While the DH in the domain of Gaussian geneates a symmetic key of size 28 bits. Finally, DH unde the domian of intege but with n= 2p2 geneates a symmetic key of size 24 bits. VI DH DH DH2p't Classical Gaussian TESTING THE SECURITY OF THE METHODS The Pohlig-Hellman is used to compute the discette logaithm poblem. Testing of the diffeent algoithms will be done using the same pime value p and pivate key a. It is clealy shown fom Figue 2. that the time needed to attack the two new methods is geate than the classical one. Mathematically, the complexity of the classical Pohlig-Hellman is O(Eei(lg,(n) + +/i)), whee tp(n) is the ode of the set i=l Z (D(n)=p-1, pi is the pime value deived fom the pime factoization of?(n) and ei is the powe of pi. The complexity of the modified Pollig-Hellman used to compute the discette logaithm unde the domain of intege with 2pt is O( Eei(lg,(n)++,/p)), whee 4(n) is the ode of the set Zm i=1 with m=2pt and <>(n)=pt-1(p-1), pi is the pime value deived fom the pime factoization of the ode 41(n) of the modified method (which is geate than the classical one) and ei is the powe of pi. The complexity of the modified Pollig-Hellman used to compute the discette logaithm unde the domain of whee 1(n) is Gaussian intege is O(Eei(lg '(n) + lpf)), i=l the ode of the set Z n=p2_1, pi is the pime value deived fom the pime factoization of the ode P(n) of the modified method (which is geate than the classical one) and ei is the powe of pi. 196

5 Time needed to compute the pivate key a=4646 ETime needed to compute the pivate key 250 2s- C 2 00 X - E l 0~~~~~~0 M = Fig.2. Attacking the methods VII. DIFFIE-HELLMAN PROTOCOL Diffie-Hellman method is used fo symmetic key exchange between entities in wieless netwoks [9,10]. One big poblem of Diffie-Hellman key exchange potocol is the man-in-themiddle attack. In ode to pevent this attack "Time Stamps" and "Signatues" ae used to impove the secuity of DH potocol. A. Diffie-Hellman Potocol Achitectue A and B will use the public cyptogaphy Diffie-Hellman algoithm to exchange symmetic keys ove wieless netwoks. They use the following key ageement potocol. 1) A B: IDA, IDB, TimeA, a', a, p, SignA. 2) B A: IDB, IDA, TimeB, ab, SignB. 3) A B: IDA, IDB, TimeA, SignA. In step I, entity A chooses a lage pime numbe p and a geneato a of Z*. It then chooses a pivate value a (whee a is between 1 < a < (n)) and computes aa mod p. Finally, it computes its signatue though computing the following using the hash function H(: In this potocol, if an attacke wants to play the ole of the man-in-the-middle attack, the eceive can easily discove it though the exchanged signatues. Moeove, the attacke cannot modify the message because of the use of 'ime stamp" and signatues in each step of the potocol. Finally, attacking Diffie-Hellman algoithm depends on the discete logaithm poblem which usually needs too much time to be computed. With the DH modified algoithms computing the discete logaithm poblem is much moe complex than the classical one. VIII. CONCLUSION Diffie Hellman is widely used in diffeent potocols such as SSL, IPSec and SSH. Modifing the secuity of DH means impoving the secuity of the potocols that use DH. The DH method depends on the discete logithm poblem. Solving the discete logithm poblem needs the implementation of Pohlig- Hellman algoithm. Pohlig-Hellman algoithm was choosen between thee diffeent algoithms to be used because of its pefomance and time. Compaison between the thee DH methods was done accoding to the key size geneated by the methods, which shows that the geneated key size fom the modified methods is geate than the classical one. To ensue the secuity of the algoithms we used Pohlig Hellman to compute the value of the same pivate key used by all the methods. Attacking the methods shows that the time needed to compute the pivate key fo the two modified algoithms is geate than the classical one. So, the two modified methods ae moe secue than the classical method as they take longe time to be cacked. REFERENCES [1] David Cats, A Review of the Diffie llellinan Algoithm and its Use in Secue Intenet Potocols, SANS Institute, [2] W. Diffie and M.E. Hellman, New Diections in Cyptogaphy. IEEE Tansaction on infomation theoy, IT-22, pp , [3] T. ElGamal,A public key cyptosystem and a signatue scheme based on discete logaithms, IEEE Tans. Infom., pp , [4] S. Fiedbeg. A. Insel and L. Spence, Linea Algeba, Pentice Hall, 4th edition, ISBN: , Novembe 11, [5] Intenet Engineeing Task Foce (IETF) Woking Goup. Diffie-Hellman Key Ageement Method, RFC 2631, June SignA = SignA (H(IDA, IDB, TimeA, a0, a, p)) [6] R. Kenneth, Elementay numbe theoy and its applications, AT & T Bell Then it sends the message to B. Laboatoies, 4th edition, ISBN: , [7] A. Menezes, P. Ooschot and S. Vanstone,Handbook ofapplied Cyptogaphy, CRC Pess, ISBN: , Octobe In step 2, entity B eceives the messages fom A. Entity B fist veifies whethe o not the messages: TimeA and SignB [8] A. Odlyzko, Discete logaithms: The past and the fitue, AT&T Labsae coect. If the messages ae coect, then B chooses a pivate Reseach, [9] H. Otok, A. Mouad, M. Debbabi and C. Assi,Impoving the Secuity of value b (whee b is between 1 < a < 4?(n)) and computes aob SNMP in Wieless Netwoks, to appea in the poceedings of Wielessmod p. Finally, it computes its signatue as follows: Com [10] R. Song and L. Koba, Secuity Communication Achitectuefo Mobile SignB = SignB (H(IDB, IDA, TimeB, ab)) Agents and E-commece, National Reseach Council Canada, Then it sends the message to A. In Step 3, entity A veifies whethe o not the messages: TimeB, SignB ae coect. If the messages ae coect, then it computes its signatue as follows: SignA = SignA(H(IDA, IDB, TimeA, TimeB, ab)) Then it sends the message to B. Finally, B veifies whethe o not the messages eceived fom A ae coect. If the esult is tue, it means that A and B have the same shaed key K. K will be computed as follows: KME= (aa)b mod p. KAE= (Ceb)a mod p. 197