Key exchange algorithm dh
Several types of key exchange/negotiation mechanisms
Rely on asymmetric encryption algorithm
Principle: The party who has obtained the public key first generates a random session key, and then encrypts it with the public key; then sends the encryption result to the other party, and the other party uses the private key to decrypt; so both parties get the session key.
Example: RSA
Rely on a dedicated key exchange algorithm
Principle: see the picture below
Example: DH algorithm and its variants (ECDH algorithm)
DH algorithm
The DH algorithm solves the problem of completing the key exchange when the two parties do not directly pass the key. This magical exchange principle is fully supported by mathematical theory.
1. Alice chooses a prime number p, such as 509, base g such as 5, random number a such as 123 and then calculate and then calculate A=g^a mod p=bcmod(bcpow(5,123),509)=215 Alice now has [p =509,g=5,a=123,A=215], send p,g,A to Bob 2. After Bob receives p=509,g=5, choose a random number b=456 to calculate B=g ^b mod p=bcmod(bcpow(5,456),509)=181 and calculate s=A^b mod p=bcmod(bcpow(215,456),509)=121 Bob now has [p=509,g=5,b =456,B=181,s=121,A=125] Bob sends B=181 to Alice 3. Alice now has [p,g,a,A,B] Alice calculates s=B^a mod p=bcmod (bcpow(181,123),509)=121
Therefore, the key s negotiated by both parties is 121. Note that this key s is not transmitted on the network. The p, g, A, and B transmitted through the network cannot be used to calculate s, because the prime number chosen by the actual algorithm is very large.
Therefore, to be more precise, the DH algorithm is a key agreement algorithm. The two parties finally negotiate a common key, and this key will not be transmitted over the network.
If we regard a as A’s private key, A as A’s public key, b as B’s private key, and B as B’s public key, the essence of the DH algorithm is that both parties generate their own private and public keys. , The private key is only visible to oneself, and then the public key is exchanged, and the final secret key secretKey is generated according to the private key of oneself and the public key of the other party. The DH algorithm guarantees that the secretKey calculated by both parties is the same through mathematical laws.
But the DH algorithm does not solve the middleman ***, that is, both parties can not ensure whether the communication with them is really the other party. Eliminating the middleman*** requires other methods
- The DH algorithm is a key exchange protocol in which both parties in communication negotiate a key through an insecure channel, and then perform symmetric encryption transmission.
- The DH algorithm does not solve the middleman ***.
But the DH algorithm itself has disadvantages-it does not support authentication.
That is to say: Although it can fight against "peeping", it cannot fight against "tampering", and naturally it cannot fight against "middleman***/MITM" (lack of identity authentication, [must be) suffered by "middleman***/MITM" ")
ECDHE
1. The client randomly generates a random value
Ra
calculationPa(x, y) = Ra * Q(x, y), and sends Pa(x, y) to the serverQ(x, y)for the base point of a certain elliptic curve algorithm recognized around the world2. The server randomly generates a random value
Rb
calculation andPb(x,y) = Rb * Q(x, y)
will bePb(x,y)sent to the client3. Client computing
Sa(x,y) = Ra * Pb(x,y)
server computingSb(x,y) = Rb *Pa(x,y)4. The algorithm is guaranteed
Sa = Sb = S, and the x vector of S is extracted as the key (pre-master key)