Score:1

Crypto

Can a MITM during Diffie-Hellman key exchange manipulate both sides to generate symmetric secrets?

smatt

9/16/23, 1:18 PM

Is it possible for an attacker on a Diffie-Hellman key exchange to manipulate both sides in a way so that the secret generated on each side is identical?

Or put differently, would it be possible to detect an attack via MITM if we can detect via a different channel that the secrets of both parties do not match?

104

0 + 0

key-exchange

diffie-hellman

man-in-the-middle

encoding

Score:1

Crypto

Maarten Bodewes

9/16/23, 1:34 PM

Is it possible for an attacker on a Diffie-Hellman key exchange to manipulate both sides in a way so that the secret generated on each side is identical?

If both parties use a well seeded CSPRNG then this should not be possible to have identical DH private keys.

As for the shared secret, the whole idea of DH - and any key establishment scheme - is that the secrets on both sides match. So if the attacker doesn't do anything the "secret on each side is identical".

Or put differently, would it be possible to detect an attack via MITM if we can detect via a different channel that the secrets on both parties do not match?

We can authenticate the public keys in the scheme so that the keys and the generated keys can be trusted.

We can also make sure that both sides have the correct secret by performing a message authentication code over a known message (such as the communication transcript so far).

0 + 0

smatt

9/16/23, 2:57 PM

Thank you for the response.

Maarten Bodewes

9/16/23, 3:06 PM

You're welcome. If you think this answers your question you can accept it, it's the best way to say thanks (you can also wait a bit to see if any other answers pop up if you want, no need to be hasty).

smatt

9/16/23, 3:08 PM

If the man-in-the-middle is trying to intercept the communication, he will separately perform DH key exchange with both sides, correct? Is it possible in this scenario for the attacker carefully "choose" his private keys in this interaction that combined with the public keys identical shared secrets are obtained for both sides?

Maarten Bodewes

9/16/23, 3:57 PM

Ah, yes, good question. I think that you need to take a look at [this answer](https://crypto.stackexchange.com/q/2131/1172). Basically, you need to perform public key validation. Quite obviously: if you use 0 as private key then the public key $g^x = g^0 = 1$, and you can raise that to any power, but it will stay $1$ (this is the extreme case). One way around this is to use [X25519](https://cr.yp.to/ecdh.html#validate) or X448.

Score:0

Crypto

kelalaka

9/16/23, 7:45 PM

Can a MITM during Diffie-Hellman key exchange manipulate both sides to generate symmetric secrets?

Let's assume that the MITM attacker can create an exchanged key that is the same on both sides. I.e., the party $A$ gets $g^t$ from the attacker and calculates $g^{at}$ and party $B$ gets $g^u$ from the attacker and calculates $g^{bu}$ such that $g^{at} = g^{bu}$.

If the attacker sends the identity element, then both sides will have the key as the identity element. This is a trivial solution and detectable (Other than the trial solution needs a reduction...)

would it be possible to detect an attack via MITM if we can detect via a different channel that the secrets on both parties do not match?

On the Major systems, protection from MITM attacks is done with certificates. Sometimes we do TOFU ( Trust On the First Usage) like in Signal ( and in the weaker WhatsApp) and later validate the public keys ^*.

One simple solution is reading the hex values on the phone since it is harder ( not impossible ) to fake real-time speech.

_{^* Have you ever validated one key in the Signal ( or WhatsApp)?}

0 + 0

Maeher

9/16/23, 8:46 PM

This reduction does not work. The mistake is that the attacker does not need to compute $t$ and $u$. They only need to compute $g^t$ and $g^u$. One attack is e.g. sending the neutral element of the group.

kelalaka

9/16/23, 9:20 PM

@Maeher You are right. the trivial solution exists, Can you see the reduction in the non-trivial case? If so, can you write an answer, I'm happy to see and delete this.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Can a MITM during Diffie-Hellman key exchange manipulate both sides to generate symmetric secrets?

TH: MITM ระหว่างการแลกเปลี่ยนคีย์ Diffie-Hellman สามารถจัดการทั้งสองฝ่ายเพื่อสร้างความลับที่สมมาตรได้หรือไม่

RO: Poate un MITM în timpul schimbului de chei Diffie-Hellman să manipuleze ambele părți pentru a genera secrete simetrice?

RU: Может ли MITM во время обмена ключами Диффи-Хеллмана манипулировать обеими сторонами для создания симметричных секретов?

VI: MITM có thể trong quá trình trao đổi khóa Diffie-Hellman thao túng cả hai bên để tạo bí mật đối xứng không?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.