Diffie-Hellman Keys and Shared Secret generation given Domain Parameters and Public Key

[greatx]

I am given the Public Key and Domain Parameters from the other party.

I need to:
-generate the ephemeral key pairs (Public Key and Private Key)
-then generate the DH shared secret

Is there any source code sample using crypto++ that illustrates this?
What functions should I use?

Since I cannot attach files here, this is the given sample data in hex
format:

Given PublicKey as a BitString (0x84 bytes long):
00 02 81 80 55 3C E7 35 EC F5 CB F2 02 9D 30 FA A4 F9 73 35 DF 40 40
47 E4 F8 58 6D 76 A7 D2 21
A0 9E 7F 55 BB E2 55 C6 58 7B F2 88 5D 41 B7 86 BC EF 21 77 D5 2B F3
CD BA 78 5D 37 D7 0B 88 D6
AB 4E 1C A6 6A 63 B6 01 13 76 ED 44 44 4A 66 2B D0 DC 95 24 17 6E 97
12 87 AD 41 D2 9B ED 3D 35
EA C7 D3 9C A7 3E CB 2A 3B 4D 39 67 1C E4 12 5C 92 65 8C 5B F3 DE DA
91 5E D7 1B 88 FC 03 1B AB
88 72 48 A1

PublicKey above after striping zeroes (0x80 bytes long):
55 3C E7 35 EC F5 CB F2 02 9D 30 FA A4 F9 73 35 DF 40 40 47 E4 F8 58
6D 76 A7 D2 21 A0 9E 7F 55
BB E2 55 C6 58 7B F2 88 5D 41 B7 86 BC EF 21 77 D5 2B F3 CD BA 78 5D
37 D7 0B 88 D6 AB 4E 1C A6
6A 63 B6 01 13 76 ED 44 44 4A 66 2B D0 DC 95 24 17 6E 97 12 87 AD 41
D2 9B ED 3D 35 EA C7 D3 9C
A7 3E CB 2A 3B 4D 39 67 1C E4 12 5C 92 65 8C 5B F3 DE DA 91 5E D7 1B
88 FC 03 1B AB 88 72 48 A1

Domain Parameters (0x10f bytes long):
30 82 01 0B 02 81 81 00 DC B5 54 DF 8C 69 31 E8 65 C1 B5 88 27 3D 80
A2 D8 7A B5 39 C5 E4 A0 74
B4 02 49 FF 65 5A 9A B8 30 63 3B 45 7C 4C F8 85 E3 1C D7 9F 81 14 8C
8A 68 D1 DB FC 2F 7B 70 ED
55 C0 38 7C 23 A0 47 9A 95 72 E8 A6 71 4F 41 8A 6B F9 B0 0E C5 BC 4D
EF 25 5A 94 85 05 8A 42 71
00 8B A6 94 AA 62 CC 18 38 5E F9 D7 B6 E8 33 A7 08 8A C8 17 AA 1F 9B
93 A8 6B 98 3E AB 73 C1 58
84 E7 33 66 56 59 CA 7D 02 81 80 2E 69 FE 94 D3 C0 A4 37 8C 8A 47 9D
83 09 1A ED 41 92 34 25 C1
03 00 8C 6A B3 F6 E8 3E 20 CB 16 C4 AE 0B 0E 28 ED 9B C7 9C D7 D7 E9
DF D3 9D D0 A3 91 41 F2 DD
57 14 9A B6 88 DB AD 17 7C 68 6F 77 18 28 E5 A0 44 08 51 2F 15 64 74
B0 BF D4 30 CB BF 91 C0 15
89 E7 21 DD DF FC DF 45 00 43 EB 77 1E 61 08 4C 59 7F 7A EA 90 48 42
0A 21 80 EB FE C1 B3 B9 3C
1A 6C B1 AD 38 B3 98 4F F0 52 10 02 02 03 F9

[greatx]

I have coded 2 fragments, but I am having a difference on the results.

-------------------------------------------------------
Code that does not work as expected:
-------------------------------------------------------
// Load the given Domain Parameters and given Public Key into a byte
array
BYTE *GivenDHPublicKey;
unsigned long GivenDHPublicKeyLength;
BYTE *GivenDHDomainParameters;
unsigned long GivenDHDomainParametersLength;
LoadBytesFromFile("GivenPublicKey.bin", GivenDHPublicKey,
&GivenDHPublicKeyLength);
LoadBytesFromFile("GivenDomainParams.bin", GivenDHDomainParameters,
&GivenDHDomainParametersLength);

// Initiate DH with the given Domain Parameters
DH dh(StringSource(GivenDHDomainParameters,
GivenDHDomainParametersLength, true, NULL));

// Generate my Key Pairs
BYTE *myPriv = new BYTE[dh.PrivateKeyLength()];
BYTE *myPub = new BYTE[dh.PublicKeyLength()];
AutoSeededRandomPool arng;
RandomNumberGenerator& rng = *dynamic_cast<RandomNumberGenerator
*>(&arng);
dh.GenerateKeyPair(rng, myPriv, myPub);

// Generate Shared Secret Key
unsigned int secretKeyLength = dh.AgreedValueLength();
BYTE *secretKey = new BYTE[secretKeyLength];
bool result = dh.Agree(secretKey, myPriv, GivenDHPublicKey); // --->
result is equal to 0 here!!! which I think is a bad result

-------------------------------------------------------
Code that does work:
-------------------------------------------------------
// Load the given Domain Parameters and given Public Key into a byte
array
BYTE *GivenDHPublicKey;
unsigned long GivenDHPublicKeyLength;
BYTE *GivenDHDomainParameters;
unsigned long GivenDHDomainParametersLength;
LoadBytesFromFile("GivenPublicKey.bin", GivenDHPublicKey,
&GivenDHPublicKeyLength);
LoadBytesFromFile("GivenDomainParams.bin", GivenDHDomainParameters,
&GivenDHDomainParametersLength);

// Initiate DH with the given Domain Parameters
DH dh(StringSource(GivenDHDomainParameters,
GivenDHDomainParametersLength, true, NULL));
// This here is the difference on the code: basically I had to create
a dhTemp and pass the prime and generator... why???
Integer iPrime = dh.GetGroupParameters().GetModulus();
Integer iGenerator = dh.GetGroupParameters().GetSubgroupGenerator();
DH dhTemp(iPrime, iGenerator);

// Generate my Key Pairs
BYTE *myPriv = new BYTE[dhTemp.PrivateKeyLength()];
BYTE *myPub = new BYTE[dhTemp.PublicKeyLength()];
AutoSeededRandomPool arng;
RandomNumberGenerator& rng = *dynamic_cast<RandomNumberGenerator
*>(&arng);
dhTemp.GenerateKeyPair(rng, myPriv, myPub);

// Generate Shared Secret Key
unsigned int secretKeyLength = dhTemp.AgreedValueLength();
BYTE *secretKey = new BYTE[secretKeyLength];
bool result = dhTemp.Agree(secretKey, myPriv, GivenDHPublicKey); //
---> result is equal to 1 here, which I think is OK

Why does the second fragment work and not the first one... probably I
am getting too tired and don't see something obvious... :)

[Vadym Fedyukovych]

On Thu, Sep 13, 2007 at 12:40:10PM -0700, greatx wrote:
>
> I am given the Public Key and Domain Parameters from the other party.

It's likely that Domain Parameters are group description.
In case of a multiplicative group: modulus p, generator g, group order q.

Then, Public Key is g^x mod p,
for some x that is a private key of the other party.

> I need to:
> -generate the ephemeral key pairs (Public Key and Private Key)

So, get some y at random from 2..(q-1) for your Private Key
and produce g^y mod p for Public

> -then generate the DH shared secret

That is, (g^x)^y mod p

> Is there any source code sample using crypto++ that illustrates this?
> What functions should I use?
>
>
> Since I cannot attach files here, this is the given sample data in hex
> format:
>
> Given PublicKey as a BitString (0x84 bytes long):

You need to make an integer g^x from this somehow,
so you was likely given a hint regarding encoding as well.
It might be DER/ASN.1

> 00 02 81 80 55 3C E7 35 EC F5 CB F2 02 9D 30 FA A4 F9 73 35 DF 40 40

> ...

>
> PublicKey above after striping zeroes (0x80 bytes long):

What's the reason for doing this?

> 55 3C E7 35 EC F5 CB F2 02 9D 30 FA A4 F9 73 35 DF 40 40 47 E4 F8 58

> ...

>
> Domain Parameters (0x10f bytes long):

This might be a DER-encoded structure.
Consider parsing it with an ASN.1 tool

> 30 82 01 0B 02 81 81 00 DC B5 54 DF 8C 69 31 E8 65 C1 B5 88 27 3D 80

> ...

[Jeffrey Walton]

> > Given PublicKey as a BitString (0x84 bytes long):
>
> You need to make an integer g^x from this somehow,
> so you was likely given a hint regarding encoding as well.
> It might be DER/ASN.1

DER encoding would start with a byte of 0x30 (SEQUENCE_TAG). I'm not
sure of ASN.1. An ASN.1 parser can be found at www.obj-sys.com.

Jeff

[greatx]

I believe the function dh.Agree(...) is NOT expecting the given public
key to be in DER encoding, or is it?
I have tried putting the given public key with the SEQUENCE in the
begining of it, but the Agree() returned 0.
If I put the given public key after stripping the un-used zero bytes,
then the Agree() returns 1.

Please also note my question about this:
---------------------------------------------------

// Initiate DH with the given Domain Parameters
DH dh(StringSource(GivenDHDomainParameters,
GivenDHDomainParametersLength, true, NULL));
// This here is the difference on the code: basically I had to create
a dhTemp and pass the prime and generator... why???
Integer iPrime = dh.GetGroupParameters().GetModulus();
Integer iGenerator = dh.GetGroupParameters().GetSubgroupGenerator();
DH dhTemp(iPrime, iGenerator);

----------------------------------------------------

Christian

[Jeffrey Walton]

Hi Christian,

Have you looked at the sample on the Wiki?
http://www.cryptopp.com/wiki/Diffie-Hellman_Key_Exchange.

Jeff

[greatx]

Hi Jeff, that is where I got my code base from, then modified it a
little, because I get the DomainParameters from a file.

Still it is unclear to me the following:
-can I use:

DH dh(StringSource(GivenDHDomainParameters,
GivenDHDomainParametersLength,
true,
NULL));

-can the given public key be as bytes (integer without the zeroes) or
does it have to be DER with the SEQUENCE?
-why does my code posted before works only if I use the dhTemp (read
my second thread)

Thanks.
Christian

On Sep 14, 5:24 pm, "Jeffrey Walton" <noloa...@gmail.com> wrote:
> Hi Christian,
>

> Have you looked at the sample on the Wiki?http://www.cryptopp.com/wiki/Diffie-Hellman_Key_Exchange.
>
> Jeff

>
> On 9/14/07, greatx <bercz...@hotmail.com> wrote:
>
>
>
>
>
> > I believe the function dh.Agree(...) is NOT expecting the given public
> > key to be in DER encoding, or is it?
> > I have tried putting the given public key with the SEQUENCE in the
> > begining of it, but the Agree() returned 0.
> > If I put the given public key after stripping the un-used zero bytes,
> > then the Agree() returns 1.
>
> > Please also note my question about this:
> > ---------------------------------------------------
> > // Initiate DH with the given Domain Parameters
> > DH dh(StringSource(GivenDHDomainParameters,
> > GivenDHDomainParametersLength, true, NULL));
> > // This here is the difference on the code: basically I had to create
> > a dhTemp and pass the prime and generator... why???
> > Integer iPrime = dh.GetGroupParameters().GetModulus();
> > Integer iGenerator = dh.GetGroupParameters().GetSubgroupGenerator();
> > DH dhTemp(iPrime, iGenerator);
> > ----------------------------------------------------
>

> > Christian- Hide quoted text -
>
> - Show quoted text -