4

I am trying to understand the Diffie-Hellman (DH) algorithm because I would like to have two computers communicating with each other but without a third one knowing what they are saying, but also exchanging the secret key they will use in an insecure channel.

The thing is that the third one also knows how the DH will process, namely, the constant parameters. More specifically p and g:

DH algorithm

So the question is, if I know p and g, can I discover that Bob and Alice will use 8 as their secret key?

PedroD
  • 5,670
  • 12
  • 46
  • 84
  • 2
    Beware that you still need to authenticate the keys to prevent MITM. This is not easy. http://blogs.msdn.com/b/ericlippert/archive/2011/09/27/keep-it-secret-keep-it-safe.aspx – SLaks Jan 18 '15 at 22:22
  • 1
    The whole point of D-H is that everyone in the room (or on the wire) can know p,g, A, and B, and they still have no chance of finding "a" (6 in your case) and "b" (5 in your case). Notice that even Alice & Bob only know their own secret (a & b), but not the other's, yet they arrive at a shared secret (8) due to the beauty of the math (discrete logarithm). To answer your question, knowing p & g doesn't help an attacker. BTW, the biggest vulnerability with "schoolbook" D-H is a Man in the Middle attack. – Dan Jan 19 '15 at 02:17
  • I'm voting to close this question as off-topic because it should have been posted or moved to http://crypto.stackexchange.com/ – Oleg Estekhin Mar 13 '17 at 07:17
  • This question is so old. How did you unbury this? – PedroD Mar 13 '17 at 11:01

2 Answers2

4

No You can't, to compute the secret key you must first be able to compute a (Alice's secret key) or b( Bob's secret key) this will require the evesdropper to compute the discrete logarithm and since there isn't any known efficient algotrithm that can compute that than Deffie_Hellmen is pretty secure, and the third party (the evesdropper) will never know that 8 is the secret key. (note that the right selection of p and g is critical for making a secure key exchange).

Gherbi Hicham
  • 2,416
  • 4
  • 26
  • 41
0

You have to be careful about the choice of your generator (it must generate the entire group), and the choice of your number p.

In particular case of multiplicative group mod p, which you're mostly likely talking about:

  1. your p has to be a safe prime
  2. your generator g has to be a primitive root mod p:

Also your implementation is likely to be vulnerable to timing and other side channel attacks.

In other words: don't do it. Cryptography is difficult. Use a library which will do it for you.

Henrik
  • 613
  • 4
  • 11
Adam Kurkiewicz
  • 1,526
  • 1
  • 15
  • 34