In short, the Diffie Hellman is a widely used technique for securely sending a symmetric encryption key to another party. Before proceeding, let’s discuss why we’d want to use something like the Diffie Hellman in the first place. When transmitting data over the Internet as plain text, it’s easy for someone to use some kind of packet sniffer like WireShark to capture packets. A malicious person, could listen in on the conversation you had with your girlfriend or worse yet, steals passwords and credit card information. Fortunately, some very smart people came up with a way to encode information for transit. The process by which we convert ordinary plain text into something unintelligible and vice-versa is known as cryptography. The most basic example of cryptography is called the Caesar Cypher.
简而言之,Diffie Hellman是一种用于将对称加密密钥安全发送给另一方的广泛使用的技术。 在继续之前,让我们讨论为什么首先要使用Diffie Hellman之类的东西。 当以纯文本格式在Internet上传输数据时,对于某人来说,使用诸如WireShark之类的数据包嗅探器来捕获数据包很容易。 恶意软件的人可能会收听您与女友的交谈,甚至更糟,他们会窃取密码和信用卡信息。 幸运的是,一些非常聪明的人想出了一种方法来编码信息以进行运输。 我们将普通的纯文本转换为难以理解的过程的过程,反之亦然,即密码术 。 密码学的最基本示例称为凯撒密码。
In essence, both parties have a symmetric key which specifies what characters map to what symbol of the encrypted text. Those who don’t possess the key cannot read the message. For example, in the preceding image, the character ‘A’ would be encoded as a ‘T’ in the encrypted message. An individual on the receiving end could then use the same Caesar Cypther to decode the message.
本质上,双方都有一个对称密钥,它指定哪些字符映射到加密文本的什么符号。 那些没有钥匙的人无法阅读消息。 例如,在前面的图像中,字符“ A”在加密消息中将被编码为“ T”。 然后,接收端的个人可以使用相同的Caesar Cypther对消息进行解码。
In the realm of computer networking, the problem with symmetric encryption algorithms is that the key must be inevitably be sent over the network to the other party so that they can decrypt incoming messages, and encrypt them in turn. If a malicious actor happened to be listening to the network at that point in time, they could obtain the key, and use it for nefarious purposes.
在计算机网络领域,对称加密算法的问题在于必须将密钥不可避免地通过网络发送给另一方,以便他们可以解密传入的消息并依次对其进行加密。 如果恶意行为者恰好在该时间点正在侦听网络,则他们可以获得密钥,并将其用于恶意目的。
This is where asymmetrical encryption comes in to play. Asymmetrical encryption works by generating a public and private key pair. The public key can only be used to encrypt messages whereas the private key can only be used to decrypt messages. For example, when you do your online banking, you give the bank your public key which is then used to encrypt the data sent back to you. If a bad guy gets their hands on the public key, they can’t do any real harm since they only have the ability to encrypt data.
这就是非对称加密发挥作用的地方。 非对称加密通过生成公钥和私钥对来工作。 公钥只能用于加密消息,而私钥只能用于解密消息。 例如,当您进行在线银行业务时,您给银行您的公共密钥,然后将其用于加密发送回给您的数据。 如果一个坏人得到了公钥,那么他们就不会造成任何真正的伤害,因为他们只能加密数据。
Today, the most widely used asymmetrical encryption algorithm is RSA. RSA stands for Rivest–Shamir–Adleman after the people who first described the algorithm back in 1977. The RSA algorithm encrypts messages by raising the message to the power of the public key and then taking the modulo of the result. To decrypt a given message, we raise it to the power of the private key and then take the modulo of the result. RSA relies on a mathematical concept known as a one-way function. Suppose we had the following equation:
如今,使用最广泛的非对称加密算法是RSA。 在此之后,RSA代表Rivest–Shamir–Adleman 最早是在1977年对算法进行描述的人们。RSA算法通过将消息提升为公钥的能力然后对结果取模来对消息进行加密。 为了解密给定的消息,我们将其提升为私钥的能力,然后对结果取模。 RSA依赖于称为单向函数的数学概念。 假设我们有以下等式:
Now, say you were given the number 8 and asked to get back to 2³. Could you do it?
现在,假设您得到的数字为8,并要求返回2³ 。 你能做到吗?
It’s relatively easy to work our way backwards in order figure out all the factors of 8.
找出8的所有因素,倒退比较容易。
In contrast, the modulo (synonymous with remainder) operation is an example of a one-way function. Suppose we had the following equation:
相反,取模(与余数同义)操作是单向函数的一个示例。 假设我们有以下等式:
If you were asked to derive 11 from 3, could you do it?
如果要求您从3导出11 ,您可以这样做吗?
You may be able to obtain the correct answer (11) by trying out all the different possibilities (i.e. 3 % 4 = 3, 7 % 4 = 3, 11 % 4 = 3), but when the numerator is very large, as in the case of RSA (i.e. 4096 bits long), there are a lot and I mean A LOT of permutations that give a remainder of 3. Given this property, hackers would have no choice but to use brute force (try every possibility) to determine the private key from the encrypted message and public key. Given that today’s keys are 4096 bits long, it would take traditional computers centuries to go through all the possible values.
通过尝试所有不同的可能性(例如3%4 = 3,7%4 = 3,11%4 = 3) ,您可能能够获得正确的答案( 11 ) ,但是当分子很大时,例如对于RSA(即4096位长)的情况,有很多,我的意思是说,很多置换提供剩余的3。给定此属性,黑客别无选择,只能使用蛮力(尝试各种可能性)来确定加密消息中的私钥和公钥。 鉴于今天的密钥长为4096位,传统计算机要花所有几个世纪才能经历所有可能的值。
In practice, asymmetrical encryption is 3 to 5 orders of magnitude slower than symmetric encryption. Therefore, we don’t encrypt the actual payload using asymmetrical encryption. Rather, we use a technique like Diffie-Hellman to securely send a symmetric encryption key to the other party, and then use said key to encrypt/decrypt all further messages.
实际上,非对称加密比对称加密慢3至5个数量级。 因此,我们不会使用非对称加密来加密实际的有效负载。 相反,我们使用Diffie-Hellman之类的技术将对称加密密钥安全地发送给另一方,然后使用所述密钥对所有其他消息进行加密/解密。
模算术(RSA)Diffie Hellman (Modulo Arithmetic (RSA) Diffie Hellman)
We’ve already described the RSA at a high level. Now, let’s take a look at a concrete example. Suppose, Bob wants to send a message to Alice. Bob will start off by generating a new random prime number N and corresponding generator g.
我们已经在较高层次上描述了RSA。 现在,让我们看一个具体的例子。 假设,鲍勃想要发送一条消息给爱丽丝。 Bob将通过生成一个新的随机素数N和相应的生成器g来开始。
NOTE: g isn’t random, but how we go about selecting it is beyond the scope of this article.
注意:g不是随机的,但是如何选择它超出了本文的范围。
In practice, N is a large number. However, for the sake of simplicity, we’ll use the following values:
实际上,N是一个很大的数字。 但是,为简单起见,我们将使用以下值:
Both g & N are sent over the network as plain text. Bob then generates a secret key a = 2. Next, Bob raises the generator g to the power of his secret key a, and takes the modulo of the result. The end product A = 5 is sent to Alice.
g和N均以纯文本形式通过网络发送。 鲍勃然后生成一个秘密密钥a = 2 。 接下来,鲍勃将生成器g提升到他的私钥a的幂,并对结果取模。 最终产品A = 5被发送给Alice。
On the other end, Alice performs the same steps — that is, she generates a secret key b, raises the generator g to the power of her secret key b, takes the modulo of the product, and sends the end result B = 3 to Bob.
在另一端,爱丽丝执行相同的步骤-即,她生成一个秘密密钥b,将生成器g提升为她的秘密密钥b的幂,取乘积的模,然后将最终结果B = 3发送给鲍勃
Even if a malicious actor were to snoop on their traffic. They wouldn’t be able to derive Bob’s or Alice’s secret key from A and B.
即使恶意行为者会监听他们的流量。 他们将无法从A和B导出Bob或Alice的秘密密钥。
Upon receiving B from Alice, Bob raises it to the power of his private key a, and takes the modulo of the result.
一旦从接收到乙 爱丽丝(Alice),鲍勃(Bob)将其提升为私钥a的幂,然后对结果取模。
Alice does the same.
爱丽丝也一样。
Alice and Bob both end up with the same number, 9, in this case. They then use 9 as the key for a symmetrical encryption algorithm like AES.
在这种情况下,爱丽丝和鲍伯都以相同的数字9结束。 然后,他们使用9作为对称加密算法(例如AES)的密钥。
椭圆曲线Diffie Hellman (Elliptic Curve Diffie Hellman)
Trying to derive the private key from a point on an elliptic curve is harder problem to crack than traditional RSA (modulo arithmetic). In consequence, Elliptic Curve Diffie Hellman can achieve a comparable level of security with less bits.
试图从椭圆曲线上的某个点导出私钥比传统的RSA(模算术)更难破解。 因此,椭圆曲线Diffie Hellman可以用更少的位达到可比较的安全级别。
A smaller key requires less computational steps in order to encrypt/decrypt a given payload. You wouldn’t notice much of a difference when establishing secured connections from your local machine. However, on something like a Medium web server that performs thousands upon thousands of key exchanges every second, the use of Elliptic Curve Diffie Hellman can lead to significant savings.
较小的密钥需要较少的计算步骤才能加密/解密给定的有效负载。 从本地计算机建立安全连接时,您不会注意到很大的不同。 但是,在诸如中型Web服务器这样每秒执行成千上万次密钥交换的事物上,使用椭圆曲线Diffie Hellman可以节省大量资金。
We can visualize the domain of all possible numbers in a Diffie Hellman RSA key exchange as a circle (due to the nature of the modulo function). The larger the value of n, the larger the circle, and the harder it is to guess the correct number.
我们可以将Diffie Hellman RSA密钥交换中所有可能数字的域可视化为一个圆(由于取模函数的性质)。 n的值越大,圆圈越大,猜测正确的数字就越困难。
In contrast, as the name implies, the domain of all possible numbers for an elliptic curve Diffie Hellman key exchange takes the form of an elliptic curve.
相反,顾名思义,椭圆曲线的所有可能数字的域Diffie Hellman密钥交换采用椭圆曲线的形式。
The preceding elliptic curve is characterized by the following mathematical equation:
前面的椭圆曲线的特征在于以下数学方程式:
In the wild, it’s pretty common to take use the equation (mod n).
在野外,使用等式( mod n )很常见。
In practice, you want to use curves that have been developed by professional mathematicians, and vetted to ensure they are secure.
在实践中,您想使用由专业数学家开发并经过审查以确保其安全性的曲线。
Instead of raising things to powers as in the case of RSA, elliptic curve Diffie Hellman works by adding the point G to itself several times over.
椭圆曲线Diffie Hellman并没有像RSA那样提高功效,而是通过将G点自身加数倍来工作。
Let’s take a look at an example. Suppose Bob initiates a connection with Alice. Bob selects a generator G (a point on the curve) and the parameters a, b, n of the elliptic curve equation, and sends them across the wire as plain text.
让我们看一个例子。 假设Bob启动与Alice的连接。 鲍勃选择一个生成器G(曲线上的一个点)和椭圆曲线方程的参数a , b , n ,并将它们以纯文本形式发送到网上。
Bob and Alice then each generate a private key (number). For the sake of simplicity, let’s assume Bob selects b = 9 and Alice selects a = 3. Bob and Alice are responsible for computing bG = 9G and aG = 3G respectively.
然后,Bob和Alice各自生成一个私钥(数字)。 为了简单起见,我们假设Bob选择b = 9并选择 爱丽丝选择a = 3 。 Bob和Alice分别负责计算bG = 9G和aG = 3G 。
In order to compute xG (where x is any number), we use the formulas for adding and doubling a point. For instance, to determine 2G, we use the formula for doubling a point.
为了计算xG (其中x是任意数字) ,我们使用公式对一个点进行加法和加倍。 例如,要确定2G,我们使用公式将点加倍。
To take the modulo of a fraction, we can make use of a modular multiplicative inverse calculator.
为了取小数的模,我们可以使用模块化的乘法逆计算器。
We then multiply the answer with 77 % 17 = 9, and take the modulo of the result.
然后,将答案乘以77%17 = 9,并对结果取模。
The x coordinate of the point can be calculated as follows:
点的x坐标可以如下计算:
We then use x2G to compute y2G.
然后,我们使用x2G计算y2G。
To calculate 3G, we use the formula for adding a point.
为了计算3G,我们使用公式来添加一个点。
We start off by calculating the slope.
我们从计算斜率开始。
Then we compute the x position of the new point.
然后,我们计算新点的x位置。
Finally, we use the value of the x coordinate to compute y.
最后,我们使用x坐标的值来计算y。
Bob sends bG = 9G = (7, 6) over the network. Similarly, Alice sends aG = 3G = (10, 6). In the event, a malicious actor is listening, it’s damn well impossible to derive the value of aG or bG from the points (7, 6) and (10, 6) on the elliptic curve.
鲍勃通过网络发送bG = 9G =( 7,6 ) 。 类似地,爱丽丝发送aG = 3G =(10,6) 。 如果出现恶意行为者正在监听的情况,从椭圆曲线上的点( 7,6 )和( 10,6)得出aG或bG的值是绝对不可能的。
Once Bob receives aG = (10 , 6) from Alice, he computes abG = 9(3G) = 27G = (13, 7). When Alice receives bG = (7, 6) from Bob, she computes abG = 3(9G) = 27G = (13, 7). They then both use the x coordinate of abG as their symmetrical encryption key for all further data transfer.
一旦Bob从Alice 收到aG =(10,6 ) ,他就计算abG = 9(3G)= 27G =(13,7) 。 当Alice从Bob收到bG =( 7,6 )时,她计算abG = 3(9G)= 27G =(13,7) 。 然后,它们都将abG的x坐标用作所有进一步数据传输的对称加密密钥。
翻译自: https://towardsdatascience.com/diffie-hellman-key-exchange-f673d617137
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/news/391327.shtml
如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!