Subject | Computer and Network Security |
---|---|

NU Year | Set: 3.(c) Marks: 5 Year: 2017 |

Diffie-Hellman key
exchange, also called exponential key exchange, is a method of digital encryption that
uses numbers raised to specific powers to produce decryption keys on the
basis of components that are never directly transmitted, making the task of a
would-be code breaker mathematically overwhelming.

To implement
Diffie-Hellman, the two end users Alice and Bob, while communicating over a
channel they know to be private, mutually agree on positive whole numbers p and q,
such that p is a prime number and q is a
generator of p. The generator q is a number that, when raised to
positive whole-number powers less than p, never produces the same result
for any two such whole numbers. The value of p may be large but the
value of q is usually small.

Once Alice and Bob have
agreed on p and q in private, they choose positive
whole-number personal keys a and b, both less than the
prime-number modulus p. Neither user divulges their personal key to
anyone; ideally they memorize these numbers and do not write them down or store
them anywhere. Next, Alice and Bob compute public keys a* and b* based
on their personal keys according to the formulas

a* = qa mod p

and

b* = qb mod p

The two users can share
their public keys a* and b* over a communications medium
assumed to be insecure, such as the Internet or a corporate wide area
network (WAN). From these public keys, a number x can be generated by
either user on the basis of their own personal keys. Alice computes x using
the formula

x = (b*)a mod p

Bob computes x using
the formula

x = (a*)b mod p

The value of x turns
out to be the same according to either of the above two formulas. However, the
personal keys a and b, which are critical in the calculation
of x, have not been transmitted over a public medium. Because it is a
large and apparently random number, a potential hacker has almost no chance of
correctly guessing x, even with the help of a powerful computer to conduct
millions of trials. The two users can therefore, in theory, communicate
privately over a public medium with an encryption method of their choice using
the decryption key x.

The most serious
limitation of Diffie-Hellman in its basic or "pure" form is the lack
of authentication. Communications using Diffie-Hellman all by itself are
vulnerable to man in the middle attacks. Ideally, Diffie-Hellman should be
used in conjunction with a recognized authentication method such as digital
signatures to verify the identities of the users over the public communications
medium. Diffie-Hellman is well suited for use in data communication but is less
often used for data stored or archived over long periods of time.