Explaining the Diffie-Hellman Key Exchange

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] hey everybody John wagging on here with Deb central we're coming to you with another light board lesson video and today we're going to talk about the diffie-hellman key exchange we we've done some stuff on TLS 1.3 some stuff on perfect forward secrecy and diffie-hellman key exchange is time into that that whole forward secret perfect forward secrecy idea and so a few people have asked say how does the diffie-hellman key exchange work from a mathematical perspective so we're gonna run through that today show you kind of how the whole thing works the essence of the difficulty exchange is you have a client and a server that both need to exchange keys and ultimately come to a shared secret key so that they can do the bulk encryption you know when they communicate back and forth so the issue the the essence again of diffie-hellman is that we're working on that key exchange how do they actually exchange keys alright so in a i'll just kind of draw this whole thing up here you've got the typical client on this side and server on this side and they need to exchange keys right so that they can get to that again that bulk encryption you know algorithm that that bulk encryption at the bottom so the whole key exchange thing the diffie-hellman key exchange works like this before they start to exchange you know values and numbers and all that kind of stuff there is a shared there's a couple of shared values that they've already agreed upon one of them will call a modulo our output mod which is also referred to a lot of times as you know about the letter P and then there's also this idea of a base which is referred to I'm going to call it G some people use in for the base frankly it doesn't really matter what letter you use to describe it it's what matters is that it is there and it is a shared value that is known frankly to everyone even an outside like eavesdropper would know these values and a couple of notes about these numbers that are again agreed upon beforehand P the value for P is a prime number and the larger the value of P the better or the Mercer the more secure this whole thing is going to be G as well is related to P in that it is a primitive root modulo of P so so these two numbers are not just randomly you know generated prime numbers they actually are you know they're related to one another so so anyway in this case I'm going to put a couple of actual numbers up here so we can run through an actual example of how this whole thing would work and for the random number P I'm gonna say 23 is the value there and then one of the primitive root modulo is of 23 which again has the property of G is 5 so I'm going to choose 5 for our value of G of course these are not numbers you would want to use in the real world because they're very easy to crack but it shows the actual mathematics of it all which are exactly the same the you know the mathematical formulas and all that stuff alright so you have a client over here you have a server over here you have known agreed-upon numbers in the middle that both parties have agreed to and that are known to the whole world all right what the client and server are both going to do independent of one another is calculate these secret values so I'll say secret value or secret number over here and I'm going to call on the client side I'm going to say little a is what we're gonna represent that to be and then over here on the server side there's also a secret number and we'll call it a little B all right so the formula to create the secret value on the client side and then also the one on the server side it goes like this or I'm sorry the the secret value for the client and the server are just randomly chosen numbers should say that first and then you're going to use those to then create another shared value so the secret value that I'm going to choose over here for a going to be the number four and then over here for B I'm going to say is the number three so again these are just randomly generated numbers by the client in the server independently you can see they don't have to be prime they're just random numbers that that the client server generated which by the way the thing one of the things that underpins all of this stuff is a is a good random number generator so we won't get into too you know how to do good random number generation but just suffice it to say you need a good random number generator to you know to to create a lot of this stuff and really make it secure so so many way so you've got four over here you've got three over here these are the secret values that no one is going to know except the client and the server and no one else all right from these numbers we can start to calculate what we'll call a shared value and so on the client side because we're going to use the little a value to generate this calculated number we'll call the shared number now big a and that is going to equal G which is the base raised to the power of little a and then modulo and then of course the mod is P all right so that's the overall formula to create this now shared value that we're going to send over to the server the server's gonna do the same thing over here so we're gonna say B Big B equals the base G raised to little B power modulo P as well alright so as we roll through this big a is going to equal G which is five raised to the power of four modulo P which is twenty three all right and then the same thing going to happen over here G which is still five raised to the power of little B which is 3 modulo P which is 23 all right so these values are going to come out to be big a is going to be the number four and Big B is going to be the number ten all right what we're going to do is this client is going to share that a with the server and so that again equals four so they're just simply going to send the number four to the server likewise the server it's gonna come over here and say B equals 10 and the server is going to share that B number with the client so again if you're a bad guy in the middle you have the value for P of the value for G now you have the calculated value a that was derived using the secret value you also have the calculated value B which is derived using this secret value over here you know given these formulas and then what they're going to be able to do at that point the client and the server because they have their secret values of course they're going to be able to calculate what I'm going to call this shared key so shared I'll just call it shared you can call it whatever you want and that is going to be derived or calculated via this formula using the calculated value from the other side so the way that the formula goes is this is Big B raised to the power of little a so you're still using your own secret value modulo P so we're still going to mod with the with the mod value that we have up here and then again on this other side we're going to say secret or shared so I'll say shared equals and it's going to be kind of just the reverse so they're going to use the the value for a raised to the power of little B mod P all right so you can start to see where you use the calculated value from the other side but you still use your own shared value that are your own secret value that no one else knows so the question is are the when we run through these shared value equations are we going to get the same thing and in this case the answer is this is going to be 10 raised to the power of 4 right mod that's a 4 mod 23 right because our mod is still 23 and then this one is gonna be a which is 4 raised to the power of B which is 3 mod 23 all right the question is what is all that and the answer is 18 over here and you guys can get your calculators out and all the rest but the answer over here is also going to be excuse me 18 that was not a very good eight all right so what has happened here is you have you have a client in a server who have run through all these different mathematical you know calculations and all that and they have arrived at the same shared value and then they can use that to then input into a bulk encryption algorithm so I'll just say you know bulk you know bulk encryption down here and that may be something like you know a es or you know what a es is a really common one but they can use that as their shared key to then you know bulk encrypt everything beyond that alright so a couple of things again if you're a if you're a attacker eavesdropper bad guy you've got P you've got G you've got a you got B and so the question is can you calculate this shared value and the answer is it's very very difficult as long as this value for P is large enough so so anyway this is the the mathematical formula or the mathematical problem that this that this is based on it's called the discrete logarithm problem and and that underpins the whole you know security of this entire thing so so anyway it's again if P is large enough then it's very computationally expensive very computationally difficult to derive this shared value one last thing that I would mention whenever you talk about diffie-hellman ephemeral which is a term you may hear from time to time ephemeral means very short-lived it doesn't it's not around for very long and in the context of Diffie Hamlin diffie-hellman ephemeral key exchange essentially what happens is the secret values up here these random integers that the server and client generate on their own they change every single session between a client and a server so so it makes it very very difficult if you were to grab this you know if you were to somehow calculate the shared key in one session because this is going to change even though PG and all this other stuff stays the same because the secret values these integers change change every single time you would not be able to go back and deke every single you know message between client and server except for just that one session that you got so it makes it it makes it more secure that's what we call perfect forward secrecy so anyway so I hope you've learned a couple things here with diffie-hellman key exchange it's kind of cool the way the mathematics works behind it you know you use it knowingly or not probably every single day multiple times but here it is really a really cool stuff that helps the internet work and stay secure so thanks for hanging in there and watching this light board lesson hey if you like this video you can click right here on our DC ball and subscribe to our YouTube channel and we'll see you guys out there in the community you
Info
Channel: F5 DevCentral
Views: 55,445
Rating: undefined out of 5
Keywords: f5, devcentral, key, exchange, tls 1.3, security, cryptography, encryption, diffie, hellman, perfect forward secrecy, PFS, ephemeral
Id: pa4osob1XOk
Channel Id: undefined
Length: 11min 48sec (708 seconds)
Published: Tue Jul 17 2018
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.