Score:1

Can a MITM during Diffie-Hellman key exchange manipulate both sides to generate symmetric secrets?

in flag

Is it possible for an attacker on a Diffie-Hellman key exchange to manipulate both sides in a way so that the secret generated on each side is identical?

Or put differently, would it be possible to detect an attack via MITM if we can detect via a different channel that the secrets of both parties do not match?

Score:1
in flag

Is it possible for an attacker on a Diffie-Hellman key exchange to manipulate both sides in a way so that the secret generated on each side is identical?

If both parties use a well seeded CSPRNG then this should not be possible to have identical DH private keys.

As for the shared secret, the whole idea of DH - and any key establishment scheme - is that the secrets on both sides match. So if the attacker doesn't do anything the "secret on each side is identical".

Or put differently, would it be possible to detect an attack via MITM if we can detect via a different channel that the secrets on both parties do not match?

We can authenticate the public keys in the scheme so that the keys and the generated keys can be trusted.

We can also make sure that both sides have the correct secret by performing a message authentication code over a known message (such as the communication transcript so far).

in flag
Thank you for the response.
Maarten Bodewes avatar
in flag
You're welcome. If you think this answers your question you can accept it, it's the best way to say thanks (you can also wait a bit to see if any other answers pop up if you want, no need to be hasty).
in flag
If the man-in-the-middle is trying to intercept the communication, he will separately perform DH key exchange with both sides, correct? Is it possible in this scenario for the attacker carefully "choose" his private keys in this interaction that combined with the public keys identical shared secrets are obtained for both sides?
Maarten Bodewes avatar
in flag
Ah, yes, good question. I think that you need to take a look at [this answer](https://crypto.stackexchange.com/q/2131/1172). Basically, you need to perform public key validation. Quite obviously: if you use 0 as private key then the public key $g^x = g^0 = 1$, and you can raise that to any power, but it will stay $1$ (this is the extreme case). One way around this is to use [X25519](https://cr.yp.to/ecdh.html#validate) or X448.
Score:0
in flag

Can a MITM during Diffie-Hellman key exchange manipulate both sides to generate symmetric secrets?

Let's assume that the MITM attacker can create an exchanged key that is the same on both sides. I.e., the party $A$ gets $g^t$ from the attacker and calculates $g^{at}$ and party $B$ gets $g^u$ from the attacker and calculates $g^{bu}$ such that $g^{at} = g^{bu}$.

If the attacker sends the identity element, then both sides will have the key as the identity element. This is a trivial solution and detectable (Other than the trial solution needs a reduction...)

would it be possible to detect an attack via MITM if we can detect via a different channel that the secrets on both parties do not match?

On the Major systems, protection from MITM attacks is done with certificates. Sometimes we do TOFU ( Trust On the First Usage) like in Signal ( and in the weaker WhatsApp) and later validate the public keys *.

One simple solution is reading the hex values on the phone since it is harder ( not impossible ) to fake real-time speech.


* Have you ever validated one key in the Signal ( or WhatsApp)?

cn flag
This reduction does not work. The mistake is that the attacker does not need to compute $t$ and $u$. They only need to compute $g^t$ and $g^u$. One attack is e.g. sending the neutral element of the group.
kelalaka avatar
in flag
@Maeher You are right. the trivial solution exists, Can you see the reduction in the non-trivial case? If so, can you write an answer, I'm happy to see and delete this.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.