#### <center> Module 4c - Elliptic Curve Diffie-Hellman Exchange 
## <center> ENGR 580A2: Secure Vehicle and Industrial Networking
## <center> <img src="https://www.engr.colostate.edu/~jdaily/Systems-EN-CSU-1-C357.svg" width="600" /> 
### <center> Instructor: Dr. Jeremy Daily<br>Fall 2021

## Learning Objectives
By the end of this exercise, students should be able to
1. Exchange secrets using a Diffie-Hellman key exchange
2. Differentiate the features and limitations between elliptic curve cryptography (ECC) and RSA

In [None]:
# Install some prequisites
# Be sure version 3.1 or higher is installed
%pip install --upgrade --user cryptography

## Issue 
Symmetric encryption requires the exchange of secret keys. How can we efficiently distribute keys across the Internet such that their secrecy is maintained?

Ans:
The Diffie-Hellman key exchange:
1. Principals exchange their public keys
2. Another's public key along with your own private key can produce the same shared secret.
3. Use this shared secret as the key for symmetric algorithms.

We'll work through an example using Elliptic Curve Cryptography with Curve25519.

# Elliptic Curve Cryptography
ECC is an asymmetric algorithm the uses smaller key sizes and is faster. It suffers from the lack of ability to encrypt data. Instead, ECC is used to exchange pre-shared secrets that can be used for symmetric encryption. Digital signing is well suited for ECC.

References:

https://safecurves.cr.yp.to/ - Advocates for more advanced Elliptic Curves

https://satoshinichi.gitlab.io/b/safecurves-scare.html - Realizes there are system considerations

In [None]:
# Import only the modules we need
import os
import base64
from cryptography.fernet import Fernet
from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey
from cryptography.hazmat.primitives import serialization

https://cryptography.io/en/latest/hazmat/primitives/asymmetric/x25519/

## Generate Keys for Alice
Let's generate keys using the ed25519 curve. 

In [None]:
#Alice needs to generate a key pair
private_key_for_alice = X25519PrivateKey.generate()
private_key_for_alice

In [None]:
# Only 32 bytes are needed for this key
private_bytes_for_alice = private_key_for_alice.private_bytes(
    encoding=serialization.Encoding.Raw,
    format=serialization.PrivateFormat.Raw,
    encryption_algorithm=serialization.NoEncryption()
)
private_bytes_for_alice

In [None]:
len(private_bytes_for_alice)

In [None]:
# Here's the PEM format
print(private_key_for_alice.private_bytes(
            encoding=serialization.Encoding.PEM,
            format=serialization.PrivateFormat.PKCS8,
            encryption_algorithm=serialization.NoEncryption()
        ).decode('ascii')
     )

In [None]:
#To send out the public key, we have to derive it from the private key and serialize it
public_key_for_alice = private_key_for_alice.public_key()
public_key_for_alice

In [None]:
#Let's serialize it so we can send it accross the network to bob (and everyone)
public_pem_key_for_alice = public_key_for_alice.public_bytes(
       encoding=serialization.Encoding.PEM,
       format=serialization.PublicFormat.SubjectPublicKeyInfo
)
print(public_pem_key_for_alice.decode('ascii'))

In [None]:
# show the raw bytes in the public key
public_bytes_for_alice = public_key_for_alice.public_bytes(
    encoding=serialization.Encoding.Raw,
    format=serialization.PublicFormat.Raw
)
public_bytes_for_alice

In [None]:
len(public_bytes_for_alice)

The keys for elliptic curve cryptography are much shorter than for RSA.

## Generate Keys for Bob

In [None]:
#Bob also needs to generate a key pair
private_key_for_bob = X25519PrivateKey.generate()
private_key_for_bob

In [None]:
# Bob extracts the public key 
public_key_for_bob = private_key_for_bob.public_key()
public_key_for_bob

In [None]:
#Let's serialize it so we can send it across the network to Alice (and everyone)
public_pem_key_for_bob = public_key_for_bob.public_bytes(
       encoding=serialization.Encoding.PEM,
       format=serialization.PublicFormat.SubjectPublicKeyInfo
)
print(public_pem_key_for_bob.decode('ascii'))

## Diffie-Hellman Key Exchange
https://cryptography.io/en/latest/hazmat/primitives/asymmetric/x25519/

## Alice and Bob calculate the same shared secret
By exchanging public keys, each principal can determine the same shared secret.

This is the Elliptic Curve Diffie-Hellman (ECDH) key exchange.

In [None]:
from cryptography.hazmat.primitives.serialization import load_pem_public_key

In [None]:
#recall
public_pem_key_for_alice

In [None]:
#Bob gets a Key from Alice
pub_key_alice = load_pem_public_key(public_pem_key_for_alice)
pub_key_alice

In [None]:
shared_secret = private_key_for_bob.exchange(pub_key_alice)
shared_secret

In [None]:
' '.join(["{:02X}".format(b) for b in shared_secret])

In [None]:
#Alice gets a public key from Bob
pub_key_bob = load_pem_public_key(public_pem_key_for_bob)
pub_key_bob

In [None]:
the_same_shared_secret = private_key_for_bob.exchange(pub_key_alice)
the_same_shared_secret

In [None]:
shared_secret == the_same_shared_secret

## Alice Sends a Message to Bob

In [None]:
# We can use symmetric encryption now, since each principal has the same key
encryption_key = shared_secret
encryption_key

In [None]:
plain_text = b'We choose to go to the Moon in this decade and do the other things, not because they are easy, but because they are hard; because that goal will serve to organize and measure the best of our energies and skills, because that challenge is one that we are willing to accept, one we are unwilling to postpone, and one we intend to win, and the others, too.'
plain_text

In [None]:
f = Fernet(base64.b64encode(encryption_key))
cipher_text = f.encrypt(plain_text)
cipher_text

## Forward and Backward Secrecy
In the approach above, the same shared secret is used each time to encrypt the data. This means that the encryption is only as good as the key protection. If a bunch of cipher text transmitted in public that was enciphered with the same key, then all the data is compromised if the key is cracked. To reduce this risk, ephemeral keys should be used. This mean each piece of cipher text should be encrypted with a unique and non-repeated key that's never saved. 

The idea is that future security incidents don't compromise existing data.
Here's a short article that explains the concept:
https://www.thesslstore.com/blog/perfect-forward-secrecy-explained/

A simple example generating an ephemeral key exchange and key derivation function gives secrecy.

Assume the first key Private key was loaded from disk (and could be discovered).


In [None]:
# Generate an ephemeral private key for Alice
e_private_alice = X25519PrivateKey.generate()
e_private_alice

In [None]:
# Extract the public portion of the key
e_public_alice = e_private_alice.public_key()
e_public_alice_bytes = e_public_alice.public_bytes(
     encoding=serialization.Encoding.PEM,
     format=serialization.PublicFormat.SubjectPublicKeyInfo,
)
e_public_alice_bytes

In [None]:
# Generate an ephemeral private key for Bob
e_private_bob = X25519PrivateKey.generate()
e_private_bob

In [None]:
# Extract the public portion of the key
e_public_bob = e_private_bob.public_key()
e_public_bob_bytes = e_public_bob.public_bytes(
     encoding=serialization.Encoding.PEM,
     format=serialization.PublicFormat.SubjectPublicKeyInfo,
)
e_public_bob_bytes

In [None]:
# Alice creates a symmetric cipher based on the shared secret
f_alice = Fernet(base64.urlsafe_b64encode(shared_secret))
f_alice

In [None]:
# Alice encrypts a 32 byte random salt value and the ephemeral public key
salt = os.urandom(32)
cipher_text = f.encrypt(salt + e_public_alice_bytes)
cipher_text # This gets sent to Bob

In [None]:
# Bob has the same shared secret, so he can decrypt the message
f_bob = Fernet(base64.urlsafe_b64encode(shared_secret))
f_bob

In [None]:
#Decrypt the message from Alice and extract the key and salt
message_from_alice = f_bob.decrypt(cipher_text)
salt_from_alice = message_from_alice[:32]
salt_from_alice

In [None]:
# Bob needs to extract the PEM key from Alice
pem_key_from_alice = message_from_alice[32:]
pem_key_from_alice

In [None]:
#Bob loads the pem key into memory and uses his private key in a key exchange
e_pub_key_from_alice = load_pem_public_key(pem_key_from_alice)
e_pub_key_from_alice

In [None]:
#Bob computes the shared secret based on Bob's ephemeral private key
# and Alice's ephemeral public key
ephemeral_shared_secret = e_private_bob.exchange(e_pub_key_from_alice)
ephemeral_shared_secret

In [None]:
# Bob needs to send Alice his ephemeral public key. 
# We'll augement the public key with the salt value so Alice know's it's Bob
cipher_text_for_alice = f_bob.encrypt(salt_from_alice + e_public_bob_bytes)
cipher_text_for_alice

In [None]:
# Alice decrypts the message from Bob and verifies the salt
message_from_bob = f_alice.decrypt(cipher_text_for_alice)
salt_from_bob = message_from_bob[:32]
salt == salt_from_bob # This compares the original salt

In [None]:
#Alice extracts the PEM key from Bob's decrypted message
e_pem_from_bob = message_from_bob[32:]
e_pem_from_bob

In [None]:
#Alice loads the pem key into memory and uses her private key in a key exchange
e_pub_key_from_bob = load_pem_public_key(e_pem_from_bob)
e_pub_key_from_bob

In [None]:
#Alice computes the shared secret based on Alice's ephemeral private key
# and Bob's ephemeral public key
ephemeral_shared_secret_alice = e_private_alice.exchange(e_pub_key_from_bob)
ephemeral_shared_secret_alice

In [None]:
# Bob and Alice's keys match
ephemeral_shared_secret_alice == ephemeral_shared_secret

In [None]:
# Another security measure is for each to derive a new key based on this secret
# We'll use HMAC based Extract and expand ke derivation function
from cryptography.hazmat.primitives.kdf.hkdf import HKDF
from cryptography.hazmat.primitives import hashes

In [None]:
#Bob computes the session key
hkdf = HKDF(
        algorithm=hashes.SHA256(),
        length=32, 
        salt=salt_from_alice, # This salt must be shared
        info=b'Ephemeral Key', #This can be anything
    )
session_key_bob = hkdf.derive(ephemeral_shared_secret)
session_key_bob

In [None]:
#Alice computes the session key
hkdf = HKDF(
        algorithm=hashes.SHA256(),
        length=32, 
        salt=salt, # This salt must be shared
        info=b"Ephemeral Key", #This can be anything, so long as it matches
    )
session_key_alice = hkdf.derive(ephemeral_shared_secret_alice)
session_key_alice

In [None]:
session_key_alice==session_key_bob

In [None]:
# Setup Alices's encryption engine
f_session_alice = Fernet(base64.urlsafe_b64encode(session_key_alice))
f_session_alice

In [None]:
# Setup Bob's encryption engine
f_session_bob = Fernet(base64.urlsafe_b64encode(session_key_bob))
f_session_bob

In [None]:
plain_text = b"Four score and seven years ago our fathers brought forth upon this continent, a new nation, conceived in Liberty, and dedicated to the proposition that all men are created equal.\nNow we are engaged in a great civil war, testing whether that nation, or any nation so conceived and so dedicated, can long endure. We are met on a great battle-field of that war. We have come to dedicate a portion of that field, as a final resting place for those who here gave their lives that that nation might live. It is altogether fitting and proper that we should do this."
plain_text

In [None]:
# Bob encrypts and sends the message
cipher = f_session_bob.encrypt(plain_text)
cipher

In [None]:
# Test that Alice can decrypt Bob's encrypted message
f_session_alice.decrypt(cipher)

## Summary
We showed how to exchange keys with ECHD.

We also generated ephemeral keys and did a key exchange with forward and backwards secrecy. The keys were short lived and random.

Where do we go from here? There are some intriguing protocols that are designed to enhance the forward and backward secrecy. For example, the double-ratchet algorithm used by Signal. https://signal.org/docs/specifications/doubleratchet/.

Keep in mind the protocol in here has not been vetted, it is for illustration only.