Public key secure communication using Diffie-Hellman key agreement

In the mid 70s a revolution happened in cryptography: The invention of public key cryptography. Before this revolution only symmetric ciphers existed to encrypt and decrypt messages. They are called symmetric ciphers because the same key is used in the encryption step and the decryption step (running the cipher in reverse). The keys used with these ciphers are also known as secret keys since they are secrets not to be known by the enemy.

The problem is that prior to secure communication the secret key must be distributed to all parties that needs to communicate. This can not happen over the network since we yet has no way to secure communication before the keys has been distributed...

In public key cryptography the parties that are to communicate has key pairs that consist of a private and a public key. The public keys are given to or fetched over an insecure channel to or by anyone that wishes to communicate securely with the owner of the public key: The public keys are for anyone to know about. The private keys are secrets known only to the owner of the key pair.

After the idea of public key cryptography had been put forward several algorithms has been developed to do:

• Secret (symmetric) key distribution, what is usual referred to a as key exchange or key agreement.
  
• Public key ciphers.
• Authentication (making sure a message is from who it claims sent it).
  

The very first algorithm to be developed to do secret key distribution using the concept of public keys where invented by Diffie and Helmman, and is known as Diffie-Hellman key agreement. It provides secret key distribution but not authentication.

Using this method two parties that are to communicate first compute their key pairs using some common public known data and exchanges their public key. Since the key pairs are computed using the same data the two parties will be able to compute the same secret key using it's private key and the other's public key. After that the secret key is used to encrypt and decrypt messages between the two parties.

In a client/server model it is natural that the server is the keeper and distributor of the common data, the data can be read from disk, data base or even computed when server starts up. In the java cryptograpy API this data may be represented by objects of the type DHParameterSpec. It is a small problem that this class is not Serializable because:

• One may want to save this to a file for the server to load on start up, depending on how persistent data is handled it may be convenient to had this type serializable.
• This is information that need to be distributed to client over the network, could very well be convenient to have this serializable then.
  

The U4JSP class TwoPartyDhKeyAgreement wraps the same data as DHParameterSpec but is serializable and adds properties and methods to make it convenient to implement a secure communication protocol using Diffie-Hellman key agreement.

Note that key agreement can be done among n participants of communication (see KeyAgreement), TwoPartyDhKeyAgreement is implemented for the in network programming all important two party (i.e. client/server) case.

See this section of TwoPartyDhKeyAgreement's java documentation on how it is used and I plan to blog more about code that uses this in client/server programming.

About this blog

Plan to blog here about anything feel worth saying regarding security hacking in Java.

Code developed will be published under the Apache License, v 2.0 here.