Implementation of the Diffie-Hellman Key Exchange



Implementation of the Diffie-Hellman Key Exchange

CS 603 – Fall 2005

Final Project Report

Dr. Leszek Lilien

Submitted by:

Sahil Behl

Muhammad Rehan Fayyaz

Motive:

The spectacular growth of the Internet has spawned an increased awareness of and interest in security issues. Although security has been considered in the design of the basic Internet protocols, many applications have been and are being designed with minimal attention paid to issues of confidentiality, authentication, and privacy. As our daily activities become more and more reliant upon data networks, the importance of an understanding of such security issues will only increase. Many cryptographic algorithms (e.g., DES,AES, HMAC) require the establishment of shared keying material in advance. Manual distribution of keying material is inefficient and complex. This is where the Diffie-Hellman Key Agreement algorithm is useful.

Project Description:

The motive of the project is to review and implement the Diffie-Hellman key exchange protocol and study its applications especially for the internet key exchange.

Create a web page for an electronic business. Encipher sensitive data such as customer credit number, SSN etc before transporting them from client to server. 

The idea is simple, the customer access the website powered by our simple http server, our web server will reply with a java servlet. The client will communicate with server by Diffie-Hellman key-exchange protocol to generate the common shared key which is used in the later communication. After key exchange, both server and client will use the shared key to encipher and decipher the sensitive data such as customer credit number, SSN etc  

Brief Description of Individual modules:

Diffie-Hellman Key Exchange algorithm.

Diffie-Hellman key exchange offers the best of both worlds -- it uses public key techniques to allow the exchange of a private encryption key. Let's take a look at how the protocol works, from the perspective of Alice and Bob, two users who wish to establish secure communications. We can assume that Alice and Bob know nothing about each other but are in contact.

Here are the nine steps of the process:

1. Communicating in the clear, Alice and Bob agree on two large positive integers, n and g, with the stipulation that n is a prime number and g is a generator of n.

2. Alice randomly chooses another large positive integer, XA, which is smaller than n. XA will serve as Alice's private key.

3. Bob similarly chooses his own private key, XB.

4. Alice computes her public key, YA, using the formula YA = (g^XA) mod n.

5. Bob similarly computes his public key, YB, using the formula YB = (g^XB) mod n.

6. Alice and Bob exchange public keys over the insecure circuit.

7. Alice computes the shared secret key, k, using the formula k = (YB ^XA) mod n.

8. Bob computes the same shared secret key, k, using the formula k = (YA ^XB) mod n.

9. Alice and Bob communicate using the symmetric algorithm of their choice and the shared secret key, k, which was never transmitted over the insecure circuit.

Working of the program:

• The algorithm generates a public key and a private key for the client (say Alice)

KeyPairGenerator aliceKpairGen=KeyPairGenerator.getInstance("DH"); aliceKpairGen.initialize(dhSkipParamSpec);

KeyPair aliceKpair = aliceKpairGen.generateKeyPair();

The KeyPairGenerator class is used to generate pairs of public and private keys.

Key pair generators are constructed using the getInstance factory methods (static methods that return instances of a given class).

A Key pair generator for a particular algorithm creates a public/private key pair that can be used with this algorithm. It also associates algorithm-specific parameters with each of the generated keys.

(Ref. )

• Alice then encodes her public key and sends it to Bob, who then retrieves the DH parameters associated with Alice’s public key and uses it to generate his own key pair.

DHParameterSpec dhParamSpec =((DHPublicKey)alicePubKey).getParams();

• Bob initializes his own DH key pair

KeyPairGenerator bobKpairGen = KeyPairGenerator.getInstance("DH");

bobKpairGen.initialize(dhParamSpec);

KeyPair bobKpair = bobKpairGen.generateKeyPair();

• Bob encodes his public key and sends it over to Alice

byte[] bobPubKeyEnc = bobKpair.getPublic().getEncoded();

At this stage, both Bob and Alice have created their public and private keys, and have exchanged their public keys. The will now generate a shared key.

Alice shared key:

aliceKeyAgree.doPhase(bobPubKey, true);

int aliceLen = aliceSharedSecret.length;

Bob Shared Key:

byte[] bobSharedSecret = new byte[aliceLen];

• Bob and Alice write down their shared keys into a file, which are then read by the server and client servlets respectively.

(Please find the attached code for the entire DiffieHellman.java program in the appendix)

Client:

• The client program was implemented using Java servlets and a HTML page that invokes the servlet.

• The user enters the data to be sent via the HTML page which then invokes the Client servlet.

• The servlet then encrypts this data using the shared key object generated by the Diffie-Hellman Key Agreement algorithm and the Data Encryption Standard (in ENCRYPT mode) and send it over to the server.

• The client servlet uses URL Redirection to send the encrypted message from the client to the server.

(Please find the attached code for Client.java in the appendix)

.

Server:

• The server itself is a simple servlet that is connected to a database.

• It receives the encrypted message from the client and decrypts it using the shared key object generated by the Diffie-Hellman algorithm and DES (in DECRYPT mode).

• Once the message has been decrypted the server will store the message into the database, which can be retrieved at a later stage.

(Please find the attached code for the server in the appendix)

Non- Mathematical Representation:

[pic]

[pic]

(Ref: )

Architecture:

The architecture for the entire implementation process is as follows:

a. High Level Architecture:

[pic]

The descriptions of the individual modules are as follows

(Please refer next page)

b). Individual Modules:

(i) Client :

[pic]

(ii) Server :

Goals accomplished :

Please refer to the to do list in the checkpoint report.

(Attached to the appendix)

|Sr. No. |Tasks |Description |Date |

|1 |Integration of the modules. |Implement the Diffie- Hellman algorithm within|Done |

| | |the client - server model we have created. | |

|2 |Testing the modules |Test each module individually and |Done |

| | |collectively. | |

|3 |Use a network sniffer |We will use Ethereal, to sniff the messages |Done |

| | |being exchanged between the client and the | |

| | |server. | |

|4 |Project Documentation |Project manuals created at each phase of |Done |

| | |software development. | |

|5 (OPTIONAL) |Implement a database |Connect a database to the servlet to store the|Done |

| | |messages received from the client. The servlet| |

| | |itself is stateless | |

Example :

|Plaintext |Shared Key (in text |Encrypted message (received as string)|Encrypted message |Decrypted message |

| |format) |(received as string) – padded |(bytes) | |

| | | | | |

|hello |›«LRû |2NnxBDxYFJY= |[B@6214f5 |hello |

Technologies used:

NOTE:

• Please put the class files of the servlets in the /webapps/ROOT/WEB-INF/classes directory of tomcat.

• Please put the HTML page in the /webapps/ROOT directory of tomcat.

1) Servlets:

a) ShowParameters.java

b) Client.java

(Please find the attached source code in the appendix)

2) Java classes:

a) DiffieHellman.java

b) ServletUtilities.java

(Please find the attached source code in the appendix)

3) Encryption algorithms:

• Key Agreement

a) Diffie – Hellman Key Agreement

• Algorithm used to encipher plain text

a) Data Encryption Standard (DES)

4) Application server:

a) Tomcat.

(Downloaded from: )

5) JDBC (Pointbase):

a) ShowParameters.java

(Comes with J2EE )

6) URL Redirecting:

a) Client.java

7) Network Protocol Analyzer:

a) Ethereal

8) HTML:

• Form Data

a) login.html

• Tables

a) ShowParameters.java

Security Issues:

1. Denial of service Attacks:

-The attacker tries to stop Alice and Bob from successfully carrying out the protocol.

Example: Deleting the messages that Alice and Bob send to each other, or by overwhelming the parties with unnecessary computation or communication.

2. Outsider Attacks:

-The attacker tries to disrupt the protocol (by for example adding, removing, replaying messages) so that hegets some interesting knowledge (i.e. information he could not

have gotten by just looking at the public values).

3. Insider Attacks:

- It is possible that one of the participants in a DH protocol creates a breakable protocol run on purpose in order to try to gain knowledge about the secret key of his peer.

- This is an important attack if one of the participants holds a static secret key that is used in many key agreement protocol runs. Note that malicious software

could be very successful in mounting this attack.

4. Man in the Middle Attacks:

- An active attacker (Oscar), capable of removing and adding messages, can easily break the core DH protocol .

- By intercepting the public keys and replacing them, Oscar (O) can fool Alice and Bob into thinking that they share a secret key.

Future Work:

1. Exchange the shared key generated by the Diffie - Hellman algorithm over the network.

(We had problems transferring a PublicKey object over the network)

2. Implement the Diffie-Hellman algorithm using other encryption algorithms and compare them.

References:

Websites:

1. - Visited on 09/16/2005 – college website

2. Visited on 09/18/2005

3. Visited on 09/18/2005

4. - Visited on 09/14/2005 – Network Security White papers

5. - Visited on 09/17/2005 – SANS Institute 2001, a paper on the Diffie – Hellman Algorithm and its use in secure Internet protocols.

6. –Visited on 09/23/2005, Network Security Webpage.

7. - Visited on 11/15/2005,

Reason: was getting an exception while encoding the encrypted message, searched on Google.

8. : Visited on 11/18/2005. It is a java forum. Reason: was getting badPaddingException, searched on Google.

9. : Visited on 11/23/2005. It is a java forum. Reason: searching for a way to store and restore a key. Searched on Google.

10. :

Visited on 11/24/2005. It is a java forum. Reason: was getting an exception IllegalBlockSizeException. Searched on Google.

11. : Visited 11/26/2005.It was useful for writing the code to store data into the database.

12. :Visited 11/25/2005. Useful for exchanging data between the servlets.

Books:

1. Java Network Programming and Distributed Computing- Davis Reilly – Michael Really.

2. Core Servlets and JSP- Marty Hall.

3. How to program Java – Deteil and Deteil.

Acknowledgements:

1. Dr. Leszek Lilien

Department of Computer Science, Western Michigan University.

Appendix:

The appendix consists of:

1. The source code of the programs.

2. The IEEE paper for this implementation

3. The powerpoint presentation slides.

4. The JavaDocs of the classes used in the programs

[pic]

-----------------------

CLIENT

(Servlet)

Generates shared key for client

SERVER

(Servlet)

Database

Pointbase

Encrypt Data using DES + D.H

Retrieving Data

Stores Decrypted Data

Generates shared key for server

DH Key Generator Algorithm

HTML Page

FIGURE 01

Shared Key using FileInputStream

(from the file into which the DH algorithm writes the shared key)

Encrypt Plaintext message using cipher

Send the encrypted message to the servlet.

Generate DES Cipher

(Using shared Key)

Read Shared Key from file

Read plaintext using the doGet function using get parameter method

To servlet using URL Redirecting

Plain Text

HTML

(i)

(ii)

(iii)

FIGURE 02

Shared Key using FileInputStream

(from the file into which the DH algorithm writes the shared key)

Decrypt the message using the shared key object and DES (in DECRYPT mode).

Read Shared Key from

file

Read encrypted message using the doGet function using get parameter method

OUTPUT

on screen.

Encrypted message

( from client)

Log the decrypted data into the database.

Display the encrypted and decrypted data as the output

FIGURE 03

(iii)

(ii)

(i)

Write message into database

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download