Introduction to Networking - Key Exchange Mechanisms

#readwise # Introduction to Networking - Key Exchange Mechanisms ![rw-book-cover](https://readwise-assets.s3.amazonaws.com/static/images/article3.5c705a01b476.png) ## Metadata - Author: [[Hack The Box]] - Full Title: Introduction to Networking - Key Exchange Mechanisms - URL: https://academy.hackthebox.com/module/34/section/1875 ## Summary Key exchange mechanisms securely share cryptographic keys between parties to protect communication. Popular methods include Diffie-Hellman, RSA, and elliptic curve algorithms, each with distinct strengths and weaknesses. The Internet Key Exchange (IKE) helps establish secure connections, often using Diffie-Hellman for key sharing. Using a Pre-Shared Key (PSK) can add security but may complicate the key exchange process. ## Highlights ## Diffie-Hellman One common key exchange method is the [Diffie-Hellman key exchange](https://www.comparitech.com/blog/information-security/diffie-hellman-key-exchange/), which allows two parties to agree on a shared secret key without any prior communication or shared private information. It is based on the concept of two parties generating a shared secret key that can be used to encrypt and decrypt messages between them. It is often used as the basis for establishing secure communication channels, such as in the [Transport Layer Security](https://www.cloudflare.com/learning/ssl/transport-layer-security-tls/) (`TLS`) protocol that is used to protect web traffic. One of the main limitations of the `Diffie-Hellman` key exchange is that it is vulnerable to `MITM attacks`. In a MITM attack, we intercept the communication between the two parties and pretend to be one of the parties, generating a different secret key and tricking both parties into using it. This allows the attacker to read and modify the messages sent between the parties. Another limitation is that it requires a relatively large amount of `CPU power` to generate the shared secret key. This can make it impractical for use in low-power devices or in situations where the key needs to be generated quickly. ([View Highlight](https://read.readwise.io/read/01jnv7ata8gnzd3z1rxv1y61er)) --- ## RSA Another key exchange method is the [Rivest–Shamir–Adleman](https://www.venafi.com/blog/how-diffie-hellman-key-exchange-different-rsa) (`RSA`) algorithm, which uses the properties of large prime numbers to generate a shared secret key. This method relies on the fact that it is relatively easy to multiply large prime numbers together but challenging to factor the resulting number back into its prime factors. Besides these two, there are also a couple of others that we need to look at. It is also widely used in many other applications and protocols that require secure communication and data protection, including but not limited to: - Encrypting and signing messages to provide confidentiality and authentication - Protecting data in transit over networks, such as in the [Secure Socket Layer](https://www.cloudflare.com/learning/ssl/what-is-ssl/) (`SSL`) and `TLS` protocols - Generating and verifying digital signatures, which are used to provide authenticity and integrity for electronic documents and other digital data - Authenticating users and devices, such as in the [Public Key Cryptography for Initial Authentication in Kerberos](https://www.ietf.org/rfc/rfc4556.txt) (`PKINIT`) protocol used by the Kerberos network authentication system - Protecting sensitive information, such as in the encryption of personal data and confidential documents ([View Highlight](https://read.readwise.io/read/01jnv7c7wj3ej9qqrk0tzyxbre)) --- ## ECDH [Elliptic curve Diffie-Hellman](https://medium.com/swlh/understanding-ec-diffie-hellman-9c07be338d4a) (`ECDH`) is a variant of Diffie-Hellman key exchange that uses elliptic curve cryptography to generate the shared secret key. It has the advantage of being more efficient and secure than the original Diffie-Hellman algorithm, including but not limited to: - Establishing secure communication channels, such as in the `TLS` protocol - Providing forward secrecy, which ensures that past communications cannot be revealed even if the private keys are compromised - Authenticating users and devices, such as in the [Internet Key Exchange](https://docs.oracle.com/cd/E19683-01/816-7264/6md9iem1g/index.html) (`IKE`) protocol used in VPNs ([View Highlight](https://read.readwise.io/read/01jnv7dc624ytbd2zwa5bnx8qd)) --- ## ECDSA The [Elliptic Curve Digital Signature Algorithm](https://www.hypr.com/security-encyclopedia/elliptic-curve-digital-signature-algorithm) (`ECDSA`) uses elliptic curve cryptography to generate digital signatures that can authenticate the parties involved in the key exchange. ([View Highlight](https://read.readwise.io/read/01jnv7dv8cd6hrvnm23qdjz5g9)) ---