The Diffie-Hellman algorithm is not used for encryption, so how can it solve the key distribution problem? After all, don’t you have to encrypt the session key to create a digital envelope?
With DH, you don’t generate a symmetric session key and distribute it using public-key technology; instead, you use public-key technology to
our third prime r) are smaller still?
The answer is yes. The more primes that make up the modulus, the faster the private key operations run. It’s all because of the Chi- nese Remainder Theorem.
The problem is that the more primes that make up the modulus, the easier it is to factor. More precisely, if “too many” primes make up the modulus, it’s easier. How many is too many? That depends on the size of the modulus. The bigger the modulus, the safer it is to use more primes. Using three primes to build a 1,024-bit modulus will not help an attacker; it will take just as long to factor as does a two-prime number. But should you use four primes to generate a 1,024-bit modulus? That may be too dangerous. If your modulus is 2,048 bits, four primes is safe, but five might not be.
Actually, that issue is still under contention. How many primes is it safe to use at various sizes of moduli? Although there is disagree- ment in some areas, it is widely believed that using three primes is safe for a 1,024-bit modulus. Research continues on the topic.
So if you hear about MultiPrime RSA, you’ll know that it has to do with making private key operations faster by using more than two primes to build a modulus.
generate the symmetric session key. Each corresponding party possesses a secret value and a public value. If you combine a private value with the other public value, each individual will generate the same secret value (see Figure 4-14). Chapter 4
106
Figure 4-14 With Diffie- Hellman, you combine your private value with the other party’s public value to create a secret. The other party combines his or her private value with your public value and creates the same secretHere’s how Pao-Chi and Gwen would make it work. Gwen has a DH key pair; the public key is (obviously) publicly available, and she keeps her private key someplace where only she has access. Inside Gwen’s public key is enough information for Pao-Chi to generate his own temporary DH key pair. Now both of them have a DH key pair (see Figure 4-15). For each of the key pairs, the public and private keys are related. But Pao-Chi’s and Gwen’s key pairs themselves are also related. Pao-Chi uses his private key and Gwen’s public key together to generate a number, called a secret value.
To encrypt the bulk data, Pao-Chi needs a session key. Instead of using an RNG or PRNG to generate the key, he uses the secret value result from the DH computations. For Gwen to read the message, though, she needs
the session key. Since Pao-Chi used the DH secret value as his session key, that means Gwen needs the secret value. She can generate the secret value using her private key and Pao-Chi’s temporary public key, which he sends along with the message (see Figure 4-16).
Pao-Chi generates a temporary DH key pair using the information from Gwen’s public key. Now both parties have related key pairs, and each can create the same secret
Figure 4-16
Pao-Chi’s message has his public value first followed by the encrypted bulk data
The Diffie-Hellman algorithm does not encrypt data; instead, it gener- ates a secret. Two parties can generate the same secret and then use it to build a session key for use in a symmetric algorithm. This procedure is called key agreement. Two parties are agreeing on a key to use. Another name found in the literature is key exchange. That description is not as accurate, but some people use it. It means that two parties perform an exchange, the result of which is a shared key.
But if Pao-Chi and Gwen can generate the secret, why can’t Satomi? Satomi knows Gwen’s public key and, if she’s eavesdropping, Pao-Chi’s temporary public key. If she puts those two keys together, what does she have? Nothing useful. The secret appears only when combining a public and a private value (each from a different person). Satomi needs one of the private keys—not both, just one.
A DH public key consists of a generator, a modulus, and public value. The private key is the same modulus along with a private value. As with RSA, cryptographers exercise their creativity to give these numbers more melodious names:g,p,y,and x. The generator is g, the modulus is p, the public value is y,and the private value is x(see Figure 4-17). Here,pis a prime number; note that it’s not the product of two or more prime num- bers but rather is itself a prime. You generate a key pair by finding the prime pfirst, then a generator gthat works well with your p, and then a random or pseudo-random x. If you combine those numbers using modu- lar exponentiation (see Figure 4-18), you get y.
y⫽gxmod p
We have said that there is a way to break all public-key algorithms. That includes DH. Satomi can break DH by deriving one of the private keys from its public partner. Because Satomi needs only one of the pri- vate keys, she’ll probably go after Gwen’s, which has been out there longer (remember, Pao-Chi generates his temporary private key only when he sends the message). Gwen’s public key consists of y,g,and p. All Satomi has to do is find x. In the preceding equation, Satomi knows all the values except one. High school algebra describes this as “one equation in one unknown.” That’s solvable, right?
Yes, it’s solvable. It’s known as the discrete log problem (finally, a more interesting name), and computer programs will solve it. But the longer the
p,the more time the computer programs will take—in fact, the same time as it would take to factor. As it happens, the factoring problem and the dis- crete log problem are related. It’s commonly believed that if you solve one you solve them both. So in use,pshould be 1,024 bits long.
Chapter 4
108
TEAM
FLY
A 1,024-bit DH key pair. The number pis the modulus,gis the generator,yis the public value, and
xis the private value
With RSA, you find two 512-bit primes and multiply them to get a 1,024-bit modulus. With DH, you find one 1,024-bit prime and use it as the modulus.
NOTE:
“Discrete log” doesn’t refer to a felled tree that’s good at keeping secrets (that would be a “discreet log”). The word “discrete” means that we’re working with the math of integers only—no fractions or decimal points— and the word “log” is short for “logarithm.”
With RSA, you can’t use a single prime as the modulus; you must mul- tiply two primes. But with DH, you use a single prime as the modulus. Why is it that single-prime RSA can be broken but single-prime DH can- not? The answer is that the two algorithms do different things. RSA encrypts data, whereas DH performs key agreement. With RSA, you use a value called dthat is dependent on (n). With DH, you don’t use d, and you don’t mess around with (n).
So Satomi will need a few million years to break Gwen’s private key by going the discrete log route. What about brute force—would that work? The private key is really just x, a random or pseudo-random number that can be as long as Gwen wants it to be. If she wants it to be 160 bits, she can make it 160 bits. Then Satomi won’t be able to mount a brute force attack on it. Gwen could make xeven longer, but the longer it is, the longer it will
Chapter 4
110
Figure 4-18
Generating a DH public and private key pair
as possible. Today, 160 bits is probably the most common size of x.