Above all, we need to know that asymmetric encryption is much slower than symmetric encryption. So, in practice, we usually use them in combination. First, asymmetric encryption is used to exchange a shared key, which is symmetrically encrypted; then, in the subsequent communication, the shared key is used to symmetrically encrypt all messages.
首先,我们需要知道,非对称加密比对称加密要慢的多。所以在实际应用中,通常将二者结合起来使用。先使用非对称加密来交换一个共享密钥,该密钥是对称加密的;然后在后续会话中,使用该共享密钥对数据进行对称加密。
Key Exchange
Key Exchange, in cryptography, refers to the protocol by which two communicating parties exchange a cryptographic key on an open channel. Of course, the key exchange usually does not transmit keys directly on the open channel but rather exchanges certain factors for calculating the key(DH key exchange) or exchanges the key encrypted by a public key(RSA key exchange). Then, both parties will calculate the same key (aka. shared key or shared secret) for the following data encryption transmission.
Common key exchange protocols include RSA, DH, and ECDH.
Key Exchange 密钥交换,在密码学中是指通信双方在公开信道上交换密钥的方式。当然,密钥交换并不是说在公开信道上直接传输密钥,而是交换计算密钥的某些因子(DH 密钥交换),或者是用公钥加密过的密钥(RSA 密钥交换),然后双方再各自计算出这个密钥(通常被叫做共享密钥),用来做后续的数据加密传输。
常见的密钥交换协议有 RSA, DH, ECDH。
RSA Key Exchange
RSA is an asymmetric encryption algorithm, and its basic principle can be simplified as follows. The selection of the three numbers E, D, and N must meet certain mathematical requirements, which will not be discussed in depth here.
Ciphertext = Plaintextᴱ mod N // RSA encryption, Pubic key={E, N}
Plaintext = Ciphertextᴰ mod N // RSA decryption, Private key={D, N} (结城浩, 2016)Here is a simple example:
If RSA is used in the key exchange process, the general steps are as follows:
- Bob sends the public key to Alice;
- Alice generates a shared symmetric key, encrypts it, and then sends it to Bob;
- Bob uses his private key to decrypt the shared key;
- Shared key exchange completed.
RSA 是一种非对称加密算法,它的基本原理可以简化成如下形式。其中 E, D, N 三个数字的选择需要满足一定数学条件,这里不做深入讨论。
密文 = 明文ᴱ mod N // RSA 加密, 公钥={E, N}
明文 = 密文ᴰ mod N // RSA 解密, 私钥={D, N} (结城浩, 2016)这里有一个简单的例子:见上图。
如果将 RSA 用在密钥交换过程中,就是
- Bob 将其公钥发送给 Alice;
- Alice 计算出一个共享密钥后,使用 Bob 的公钥加密再发送给 Bob;
- Bob 私用私钥解密后获得共享密钥;
- 密钥交换完成。
Diffie-Hellman(DH) Key Exchange
DH key exchange was the first published public-key algorithm(asymmetric encryption) and was widely used in key exchange.
DH key exchange steps are as follows:
- Agree on public parameters
The two parties (let’s call them Alice and Bob) choose a large prime numberpand a baseg(an integer less thanp, andgis a primitive root modulop) and share them publicly; - Each party generates private/public keys and exchanges public keys
• Alice randomly chooses a private keya(between 1 andp-1), calculates the public keyA = gᵃ mod p;
• Bob also chooses a private keybrandomly (less thanp), computes the public keyB = gᵇ mod p; - Exchange public keys
Alice and Bob send their public keys(A, B) to each other. This exchange can be done over an insecure channel. - Each party computes the shared key
Alice calculates the shared keys = Bᵃ mod p;
Bob calculates the shared keys = Aᵇ mod p;
Due to the properties of mathematics, thesAlice and Bob calculated the same. - Sending messages encrypted by the shared key
DH 密钥交换步骤:
- 选择公开参数
通信双方(通常称为 Alice 和 Bob)选择一个大型素数p和一个基数 g (通常是小于p的整数,并且g是p的原根 primitive root),并将这两个数公开; - 生成私有密钥
• Alice 随机选择一个私钥 a (在 1 到 p-1 之间),计算公钥A = gᵃ mod p.
• Bob 随机选择一个私钥 b (同样小于 p),计算公钥B = gᵇ mod p. - 交换公钥
双方公开交换公钥(A, B),这个交换可以在不安全的通道上进行。 - 计算共享密钥
• Alice 计算共享密钥s = Bᵃ mod p;
• Bob 计算共享密钥s = Aᵇ mod p;
• 由于数学的性质,Alice 和 Bob 计算出的 s 是相同的。 - 使用该共享密钥进行消息加密
Elliptic-curve Diffie–Hellman(ECDH) Key Exchange
Elliptic-curve Diffie–Hellman (ECDH) is a variant of the Diffie–Hellman protocol using elliptic-curve cryptography. It has better computing performance and security than the classical DH algorithm that uses modular arithmetic. The elliptic curve is a curve described by the equation y2 = x3 + ax + b, and its plot is as follows:
ECDH key exchange steps are similar to the classical DH algorithm, but the calculation method is different:
- Agree on public parameters
Both parties (Alice and Bob) agree on the following elliptic curve parameters:- Elliptic Curve function EC,
- Generator point G,
- Generate private keys and public keys
- Private keys: Each party generates a private key. Alice gets
a, and Bob getsb. These private keys are kept secret and never shared. - Public keys: Each party computes their corresponding public key by performing elliptic curve point multiplication with the generator point. Alice gets
Pa = G•a, and Bob getsPb = G•b. - The multiplication operation
•here is the scalar multiplication of the elliptic curve, not the ordinary multiplication.
- Private keys: Each party generates a private key. Alice gets
- Exchange public keys
Alice and Bob send their public keys to each other. This exchange can be done over an insecure channel. - Each party computes the shared key
- Alice:
K = a•Pb = a•(b•G) - Bob:
K = b•Pa = b•(a•G) - According to the elliptic curve multiplication, the
Kcalculated by both parties is consistent.
- Alice:
- Sending messages encrypted by the shared key
ECDH 是采用 椭圆曲线密码 的 DH 算法,比起使用模运算的传统 DH 算法,它有更好的计算性能与安全性。椭圆曲线是由方程 y2 = x3 + ax + b 描述的曲线,其绘制图形如下:
ECDH 密钥交换步骤, 跟传统 DH 的逻辑一样,只是计算方法不同:
- 选择公开参数
双方选择一个椭圆曲线 EC 和基点 G. - 各自生成私钥和公钥
- 私钥: 每方生成一个随机私钥(一个大整数), Alice 的私钥为
a, Bob 的私钥为b. - 公钥: 通过基点 G 和私钥生成公钥, Alice 的公钥
Pa = G•a, Bob 的公钥为Pb = G•b. - 这里的点乘运算
•是椭圆曲线的标量乘法,不是普通的乘法.
- 私钥: 每方生成一个随机私钥(一个大整数), Alice 的私钥为
- 交换公钥
双方公开交换公钥,这个交换可以在不安全的通道上进行。 - 计算共享密钥
- Alice:
K = a•Pb = a•(b•G) - Bob:
K = b•Pa = b•(a•G) - 根据椭圆曲线的特性,双方计算出来的
K是一致的。
- Alice:
- 使用该共享密钥进行消息加密
Forward secrecy
RSA, as well as basic DH and ECDH, lack forward security. For DH and ECDH, we can choose to reselect a private key for each session, which can ensure forward security. This is called DHE and ECDHE. E here stands for Ephemeral, which means the private key is temporary and only used in one session.
Forward secrecy, 前向安全性。 RSA, 以及基本的 DH, ECDH 都缺乏前向安全性。对于 DH, ECDH 可以选择对于每次的会话都重新选择一个私钥,这样就能保证前向安全,这就叫做 DHE, ECDHE。E 即 Ephemeral, 表示这个私钥是临时的。
Preventing MITM attacks
From the basic steps of key exchange mentioned above, we can see that they are all vulnerable to man-in-the-middle attacks, so in practical applications, certificate verification steps need to be added. I will show this in the TLS handshake following.
从上述密钥交换的基本步骤中,可以看出它们都容易被中间人攻击,所以在实际应用中,需要加上证书验证的步骤。这点我们可以在后面的 TLS 握手中看到。
TLS1.2 handshake
预主密钥,主密钥,session 密钥,这三个有什么区别? 分别在什么阶段生成?
TLS1.3 handshake
Cipher suite naming scheme (加密套件的命名规则)
Each cipher suite has a unique name used to identify it and describe its algorithmic contents. The naming of cipher suites usually follows certain rules and usually consists of the following segments, separated by underscores:
[protocol]_[key exchange algorithm]_[authentication algorithm]_[session encryption algorithm]_[message authentication algorithm]Take TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 for example.
- TLS
Defines the protocol this cipher suite is for; it will usually be TLS. - ECDHE
Indicates the key exchange algorithm being used. - RSA
Authentication mechanism during the handshake. To authenticate the other party is who he claims to be. - AES_128_GCM
Session cipher algorithm. After the handshake, the session communication between the two parties will be encrypted using a symmetric encryption algorithm. - SHA256
Indicates the message authentication algorithm used to generate a MAC(Message Authentication Code) and authenticate a message.
References
- Wikipedia contributors. (2024a, May 5). Key exchange. Wikipedia. https://en.wikipedia.org/wiki/Key_exchange
- Wikipedia contributors. (2024b, September 5). Cipher suite. Wikipedia. https://en.wikipedia.org/wiki/Cipher_suite
- Wikipedia contributors. (2024c, October 12). Diffie–Hellman key exchange. Wikipedia. https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
- Wikipedia contributors. (2024d, October 14). Elliptic-Curve Diffie–Hellman. Wikipedia. https://en.wikipedia.org/wiki/Elliptic-curve_Diffie%E2%80%93Hellman
- 结城浩. (2016). 图解密码技术: 第3版.