UNiD provides a secure channel between two communicating peers; the only requirement from the underlying transport is a reliable, in-order data stream.
The secure channel should provide the following properties:
- Authentication: the server-side of the channel is always authenticated; the client of the channel is optionally authenticated
- Confidentiality: Data sent over the channel after establishment is only visible to the endpoints.
- Integrity: Data sent over the channel after establishment cannot be modified by attackers without detection.
This blog introduces the Diffie-Hellman Key Exchange concept used in the handshake protocol (the actual one is more tightly defined).
- p is a prime number of at least 1024 bits, and there is a prime number q of size close to p in the p-1 divisor
- g is the generator
- a is secret of the edge device
- b is secret of the cloud
DH Key Exchange
- Edge device computes the public key Ka = g^a modp and sends it to the cloud
- The cloud uses the private key b to compute Ka^b
- Cloud computes the public key Kb = g^b modp and sends it to the edge device
- Edge device uses private key a to compute Kb^a
The remainder of the world (mod) can be added, subtracted, or multiplied by each formula. This formation is called a quotient ring. Using this property, we can compute the symmetry key Ka^b = Kb^a.
This protocol is not secure as is. The reason is that a man-in-the-middle can come between the edge device and the cloud and send the public key Kc to the cloud and the public key Kd to the edge device, thereby intercepting the communication. In other words, both parties need to verify that the public key they receive genuinely belongs to the other peer.
The handshake protocol requires both client and server to send a message that contains a MAC overall message. Such handshake protocol enables both client and server to ensure that the negotiated parameters have not been modified in the middle by an attacker.
The following blog article will introduce the relationship between DH key exchange and PKI the next time.
If you'd like to be a part of the UNiD community, visit our GitHub. Click Star🌟 if you like.