From: Ben Nagy (ben@iagu.net)
Date: Mon Aug 04 2003 - 10:26:54 EDT
Let me answer your last question first, for impatient readers:
Yes, you're thinking about this too much. ;)
The rest is in line.
> -----Original Message-----
> From: Jeremy Junginger [mailto:jj@act.com]
> Sent: Friday, August 01, 2003 8:08 PM
> To: pen-test
>
> In reading about Diffie Hellman Exchanges and Symmetric
> Encryption between
> Cisco Routers, and studying Cisco IOS architecture white
> papers, I noticed
> that the two large prime numbers used on Cisco Routers for
> the Diffie-Hellman
> Key Exchange(s) (which generates keying material for
> symmetric encryption
> algorithms such as DES and 3DES) are hard-coded on the
> devices. That got me
> a little excited. But I'm not sure if this is possible
> mathematically, as
> the modulus function truncates the original value prior to
> exchanging it over
> the wire.
The first thing you should do is refresh yourself on how DH works - it's
mathematically quite simple to understand, and extremely cute (um...if you
like that kind of thing)
The basic principle is this - You have Bob and Alice, who want to have a
shared secret - they will later use this secret to do, well, secret things
like key crypto algorithms. DH is a way that they can share a secret over
the insecure network by exchanging public information (as long as they know
each other's identity is not being faked - DH hates MitM attacks, which is
why it should be signed).
In maths terms, we take two public values - a generator (the number 2, for
our purposes here) and a Big Prime - maybe, say, 3. Note: do not use three
in real life ;). This Big Prime is the number that has gotten you all
excited, by the way.
Next is the tricky bit. Alice and Bob both make up a large number, which
they never tell anyone, and don't ever use again. I'll call them xA and xB.
They both compute g ^ x mod P for their own respective x values. Example: 2
^ 12 (Bob's secret value) mod 3 is 1. These are now what's called their DH
PUBLIC values, and can be safely swapped. Next, Alice does (2^xA)^xB (all
mod p of course) == 2^xA.xB mod p. Bob does the same in reverse and gets
2^xB.xA mod p, and they're both the same number because...well because.
An attacker who intercepts these values can't work out the final product
unless they can invert one of the modulus values that went across the wire,
which is mathematically Hard (discrete log problem).
> Could somebody clarify if these large prime values differ
> from router to
> router?
No, they won't, mainly because they're mandated in one of the IPSec RFCs
(2409, cf). One of the things you need to do to make DH work is agree on a
prime. It doesn't matter if that prime is public, so they decided to write
down a couple of Strong Primes to save DH implementations the trouble and
risk of exchanging them as part of the process.
[lots of other questions skipped, should be obvious now]
> Thanks for your thoughts
>
> Jeremy
Hope this clears things up, and back to the lurk bin with me...
ben
---------------------------------------------------------------------------
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:37 EDT