Better to know some... than all 


Key agreement based on asymmetric techniquesDiffieHellman key agreement (also called exponential key exchange) is a fundamental technique providing unauthenticated key agreement. This discusses key establishment protocols based on exponential key agreement, as well as the concept of implicitly certified public keys and their use in DiffieHellman protocols. DiffieHellman key agreement protocolsDiffieHellman key agreement provided the first practical solution to the key distribution problem, allowing two parties, never having met in advance or shared keying material, to establish a shared secret by exchanging messages over an open channel. The security rests on the intractability of the DiffieHellman problem and the related problem of computing discrete logarithms. The basic version provides protection in the form of secrecy of the resulting key from passive adversaries (eavesdroppers), but not from active adversaries capable of intercepting, modifying, or injecting messages. Neither party has assurances of the source identity of the incoming message or the identity of the party which may know the resulting key, i.e., entity authentication or key authentication. Protocol DiffieHellman key agreement (basic version) SUMMARY: A and B each send the other one message over an open channel.
RESULT: shared secret K known to both parties A and B. 1. Onetime setup. An appropriate prime p and generator of Z^{*} _{p} (2 p  2) are selected and published. 2. Protocol messages. A B : ^{y} mod p (2) 3. Protocol actions. Perform the following steps each time a shared key is required. (a) A chooses a random secret x, 1 x p  2, and sends B message (1). (b) B chooses a random secret y, 1 y p  2, and sends A message (2). (c) B receives ^{x} and computes the shared key as K = (^{x})^{y} mod p. (d) A receives ^{y} and computes the shared key as K = (^{y})^{x} mod p. DiffieHellman with fixed exponentials: A variation of Protocol provides mutual key authentication. Fix ^{x} and ^{y} mod p as longterm public keys of the respective parties, and distribute these using signed certificates, thus fixing the longterm shared key for this user pair to K = ^{xy}. If such certificates are available a priori, this becomes a zero pass key agreement (no cryptographic messages need be exchanged). The timeinvariant nature of this key K, however, is a drawback. DiffieHellman in other groups: The DiffieHellman protocol, and those based on it, can be carried out in any group in which both the discrete logarithm problem is hard and exponentiation is efficient. Themost commonexamples of such groups used in practice are the multiplicative group Z^{*}_{p} of Z_{p}, the analogous multiplicative group of F_{2m}, and the group of points defined by an elliptic curve over a finite field. Control over DiffieHellman key: While it may appear as though DiffieHellman key agreement allows each party to guarantee key freshness and preclude key control, use of an exponential with small multiplicative order restricts the order (and thereby value) of the overall key. The most degenerate case for Z_{p} would be selection of 0 as private exponent, yielding an exponential with order 1 and the multiplicative identity itself as the resulting key. Thus, either participant may force the resulting key into a subset of the original (naively assumed) range set. Relatedly, some variants of DiffieHellman involving unauthenticated exponentials are vulnerable to the following active attack. Assume generates Z^{*}_{p} where p = Rq + 1 (consider R = 2 and q prime). Then = ^{q} = ^{(p1)/R} has order R ( = 1 for R = 2). If A and B exchange unauthenticated shortterm exponentials ^{x} and ^{y}, an adversary may replace these by (^{x})^{q} and (^{y})^{q}, forcing the shared key to be K = ^{xyq} = ^{xy}, which takes one of only R values (+1 or 1 for R = 2). K may thus be found by exhaustive trial of R values. A more direct attack involves simply replacing the exchanged exponentials by +1 or p  1 =  1. This general class of attacks may be prevented by authenticating the exchanged exponentials, e.g., by a digital signature. 