DH Key exchange algorithm

1. Introduction

CSDN What to do SMS verification, 7 years of account unexpectedly landed, really mad, wtf!!!!

DH, known collectively as "Diffie-hellman", is a way to ensure that a shared key is secured across an unsecured network, in other words, a key agreement, a thought proposed by the founders of the public key Cryptosystem Diffie and Hellman.

Simply put, allow two users to exchange information on public media to generate a "consistent", shareable key. That is, the output of a pair of key (public key, private key), party B in accordance with the public key to generate party B key pair (public key, private key). It allows both parties to establish a key through an unsecured channel without any prior information from each other. This key can be used as a symmetric key in subsequent communication to encrypt the content of the communication.

2, DH key exchange model analysis

What is the specific process? We also analyze the model by sending data on both sides.

• 1, the party (the message sender, the same below) to build a key pair (public key + private key), party a public key to party B (Message recipients, the same below)
• 2. Party b Constructs a key pair (public key + private key) with the public key sent by party A, and publishes the public key that is constructed to party a
• 3. Party a uses "party A's private key + Party B's public key" to construct the local key
• 4. Party b constructs the local key with "Party B's private key + party's public key"
• 5, at this time, the two sides of the local new structure of the key should be the same , both parties can be a local key data encryption and decryption
• 6, then you can use the symmetric encryption algorithm such as AES to carry out the safe transmission of data .

3, DH key exchange algorithm mathematical principle

There are two globally exposed parameters, a prime number p and an integer g,g is an original root of P.

The private and public keys of the server are both A and a, and the client's private and public keys are B and b respectively;

The service side according to a, p, G, can calculate the public key A;

The server sends G, p, a to the client, the client can calculate its own public key B, and the shared key k;

The client sends the B plaintext to the server, and the server can also calculate the shared key K.

4. Man-in-the-middle attack

In its original description, the Deffee-Herman key exchange itself did not provide authentication services for both sides of the communication, so it was vulnerable to a man-in-the-middle attack.
An intermediary "C" in the middle of the Channel two times Deffee-Herman key Exchange, once and a, another and B, will be able to successfully Shangjia pretend to be B, and vice versa.
An attacker could decrypt (read and store) any one's information and re-encrypt the information and pass it on to another person. Therefore, it is often necessary to have a mechanism to verify the identity of both sides of the communication to prevent such attacks.
There are many types of security authentication solutions that use the Deffee-Herman key Exchange. For example, when a and B share a public key infrastructure, they can sign their return key.

DH Key exchange algorithm