Flaw 1: number theory needs care (backdoors included)

Let's live demo Pohlig-Hellman

I picked out a weak prime and a discrete log to solve:

$$ 285016 \equiv 2^{x} \mod(830483) $$

Find $x$.

830483 is a prime, and the cycle length of 2 is 830482.

Let's pretend like a brute force of 800,000 values is too large, but 10,000 value is bearable.

Notation $ y = 2^{x} \mod(p) $

Find the factors of $ p-1 = a \cdot b \cdot c$
We figure out $x \mod(a) $ (and $b$ and $c$ )
(That method), compute $ h = (p-1)/a $
Then raise both sides to the $h$, e.g. $ y^h = (2^{h})^{x} \mod(p) $
That cycle is no longer $p-1$ but a cycle of size $a$
So just try $2^{h}, 2^{2h}, 2^{3h}, \cdots, 2^{(a-1)h}$ and see which one is $y^h$ (needle in smaller haystack)
Let's say that turned out to be $2^{3h} \equiv y^{h}$
Then $x \equiv 3 \mod a$ (since in the cycle of size a our answer was 3 steps deep)
If this is cheap for all of the factors of $ p-1 $ I can Chinese Remainder $x$

Flaw 2: Man-in-the-middle attack

OK, so in a public-key exchange I can establish a secure connection with anyone (up to the number theory choices/risks). BUT now identity of WHO I am talking to becomes very important.

The most common application of this DHKE process is TLS the HTTPS protocol for encrypting website traffic. So the act of ensuring that no one is pretending to be a site that they are not is important.

Public Key Infrastructure

This is the idea of certs, and who signs them, and what is a digital signature. Also the chain of trust and DNSSEC and a whole TON of work by the IETF and Certificate Authorities and so on.

https://www.cloudflare.com/learning/ssl/how-does-ssl-work/

Friday Afternoon Fun

Look at a MY websec.prof.ninja CERT I'll use command: openssl x509 -in my.cert -text -noout or just an online decoder

Make a self-signed certificate at the command-line (Here's a stack-overflow answer)

Let's see how "let's encrypt" signs a cert automagically for a domain you own (certbot)

Digital Signatures

Behind all of these certs is the idea of a digital signature. It works like this:

When a digital signature "signs" a message it provides:

INTEGRITY - your message was not altered
AUTHENTICATION - your message was indeed sent by you alone
NON-REPUDIATION - you cannot deny that you signed that document

There are two (ok maybe 3) digital signature paradigms out there:

RSA Digital Signatures

The text book version of an RSA digital signature is do RSA encryption but flip the public and private key. That textbook version is not secure engough for reality.

In practice it's all about the padding: https://www.rfc-editor.org/rfc/rfc3447#section-8

DSA (and ECDSA)

This is the "Digital Signature Algorithm" and it's elliptic curve equivalent.

This is the key behind the blockchain (this plus the hashing toy problem and maybe a merkle tree).

Here are some old notes on the matter

Extra Flag

So I had imagined a problem where I gave you a cert and the private key that goes with it. Then the pcap of me visiting a secret site encrypted.

But that really only helps if it was pure RSA encryption so I changed the problem to the more modern technique:

Here is the pcap: tls.pcapng and this other file my malware exfiltrated from the target: sslkey.log