#### <center> Module 4c - Elliptic Curve Diffie-Hellman Exchange 
## <center> SYSE 549: Secure Vehicle and Industrial Networking
## <center> <img src="https://www.engr.colostate.edu/~jdaily/Systems-EN-CSU-1-C357.svg" width="400" /> 
### <center> Instructor: Dr. Jeremy Daily

## Learning Objectives
By the end of this exercise, students should be able to
1. Exchange secrets using a Diffie-Hellman key exchange
2. Differentiate the features and limitations between elliptic curve cryptography (ECC) and RSA

In [2]:
# Install some prequisites
# Be sure version 3.1 or higher is installed
%pip install --upgrade --user cryptography

Note: you may need to restart the kernel to use updated packages.


## Issue 
Symmetric encryption requires the exchange of secret keys. How can we efficiently distribute keys across the Internet such that their secrecy is maintained?

Ans:
The Diffie-Hellman key exchange:
1. Principals exchange their public keys
2. Another's public key along with your own private key can produce the same shared secret.
3. Use this shared secret as the key for symmetric algorithms.

We'll work through an example using Elliptic Curve Cryptography with Curve25519.

# Elliptic Curve Cryptography
ECC is an asymmetric algorithm the uses smaller key sizes and is faster. It suffers from the lack of ability to encrypt data. Instead, ECC is used to exchange pre-shared secrets that can be used for symmetric encryption. Digital signing is well suited for ECC.

References:

https://safecurves.cr.yp.to/ - Advocates for more advanced Elliptic Curves

https://satoshinichi.gitlab.io/b/safecurves-scare.html - Realizes there are system considerations

In [3]:
# Import only the modules we need
import os
import base64
from cryptography.fernet import Fernet
from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey
from cryptography.hazmat.primitives import serialization

https://cryptography.io/en/latest/hazmat/primitives/asymmetric/x25519/

## Generate Keys for Alice
Let's generate keys using the ed25519 curve. 

In [4]:
#Alice needs to generate a key pair
private_key_for_alice = X25519PrivateKey.generate()
private_key_for_alice

<cryptography.hazmat.bindings._rust.openssl.x25519.X25519PrivateKey at 0x180ee4c7910>

In [5]:
# Only 32 bytes are needed for this key
private_bytes_for_alice = private_key_for_alice.private_bytes(
    encoding=serialization.Encoding.Raw,
    format=serialization.PrivateFormat.Raw,
    encryption_algorithm=serialization.NoEncryption()
)
private_bytes_for_alice

b"\x90`\x1ac;\xcak\t\x8c\x14\xac\x86+\xa0'\x93\xa3\xa3q\x8b\xd6\x11V\xf6\xa7\xc3\xc1\x03\xba\xa2\xa6d"

In [6]:
len(private_bytes_for_alice)

32

In [7]:
# Here's the PEM format
print(private_key_for_alice.private_bytes(
            encoding=serialization.Encoding.PEM,
            format=serialization.PrivateFormat.PKCS8,
            encryption_algorithm=serialization.NoEncryption()
        ).decode('ascii')
     )

-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VuBCIEIJBgGmM7ymsJjBSshiugJ5Ojo3GL1hFW9qfDwQO6oqZk
-----END PRIVATE KEY-----



In [8]:
#To send out the public key, we have to derive it from the private key and serialize it
public_key_for_alice = private_key_for_alice.public_key()
public_key_for_alice

<cryptography.hazmat.bindings._rust.openssl.x25519.X25519PublicKey at 0x180ee612e50>

In [9]:
#Let's serialize it so we can send it accross the network to bob (and everyone)

In [10]:
# show the raw bytes in the public key
public_bytes_for_alice = public_key_for_alice.public_bytes(
    encoding=serialization.Encoding.Raw,
    format=serialization.PublicFormat.Raw
)
public_bytes_for_alice

b'Z\x02\xdc\x89\xa1\x83\xf7\xae\xfd\xf3\x08\xb0H\xe1\xe5\x08\xfd\x98W\xa0\xcc"\x1c\xb9\xf2\xcc\x96z\xb6)o\x1d'

In [11]:
len(public_bytes_for_alice)

32

In [12]:
#Let's serialize it so we can send it across the network to Alice (and everyone)
public_pem_key_for_alice = public_key_for_alice.public_bytes(
       encoding=serialization.Encoding.PEM,
       format=serialization.PublicFormat.SubjectPublicKeyInfo
)
print(public_pem_key_for_alice.decode('ascii'))

-----BEGIN PUBLIC KEY-----
MCowBQYDK2VuAyEAWgLciaGD96798wiwSOHlCP2YV6DMIhy58syWerYpbx0=
-----END PUBLIC KEY-----



The keys for elliptic curve cryptography are much shorter than for RSA.

## Generate Keys for Bob

In [13]:
#Bob also needs to generate a key pair
private_key_for_bob = X25519PrivateKey.generate()
private_key_for_bob

<cryptography.hazmat.bindings._rust.openssl.x25519.X25519PrivateKey at 0x180ee612d30>

In [14]:
# Bob extracts the public key 
public_key_for_bob = private_key_for_bob.public_key()
public_key_for_bob

<cryptography.hazmat.bindings._rust.openssl.x25519.X25519PublicKey at 0x180ee612cb0>

In [15]:
#Let's serialize it so we can send it across the network to Alice (and everyone)
public_pem_key_for_bob = public_key_for_bob.public_bytes(
       encoding=serialization.Encoding.PEM,
       format=serialization.PublicFormat.SubjectPublicKeyInfo
)
print(public_pem_key_for_bob.decode('ascii'))

-----BEGIN PUBLIC KEY-----
MCowBQYDK2VuAyEANyDPKf748agCMpibkOvUooso0xvvwxgT+PbIbXWGgmg=
-----END PUBLIC KEY-----



## Diffie-Hellman Key Exchange
https://cryptography.io/en/latest/hazmat/primitives/asymmetric/x25519/

## Alice and Bob calculate the same shared secret
By exchanging public keys, each principal can determine the same shared secret.

This is the Elliptic Curve Diffie-Hellman (ECDH) key exchange.

In [16]:
from cryptography.hazmat.primitives.serialization import load_pem_public_key

In [17]:
#recall
public_pem_key_for_alice

b'-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VuAyEAWgLciaGD96798wiwSOHlCP2YV6DMIhy58syWerYpbx0=\n-----END PUBLIC KEY-----\n'

In [18]:
#Bob gets a Key from Alice
pub_key_alice = load_pem_public_key(public_pem_key_for_alice)
pub_key_alice

<cryptography.hazmat.bindings._rust.openssl.x25519.X25519PublicKey at 0x180ee612fd0>

In [19]:
shared_secret = private_key_for_bob.exchange(pub_key_alice)
shared_secret

b'L\xd8\x8f\xc2\xe2\x1e\xddE~Q\xa36=\xdc\xf9\xec\x9d\xb4\x15BV\x94\xc3u~b\x14\x01\x8c\xe8p\x18'

In [20]:
' '.join(["{:02X}".format(b) for b in shared_secret])

'4C D8 8F C2 E2 1E DD 45 7E 51 A3 36 3D DC F9 EC 9D B4 15 42 56 94 C3 75 7E 62 14 01 8C E8 70 18'

In [21]:
#Alice gets a public key from Bob
pub_key_bob = load_pem_public_key(public_pem_key_for_bob)
pub_key_bob

<cryptography.hazmat.bindings._rust.openssl.x25519.X25519PublicKey at 0x180ee612dd0>

In [22]:
the_same_shared_secret = private_key_for_alice.exchange(pub_key_bob)
the_same_shared_secret

b'L\xd8\x8f\xc2\xe2\x1e\xddE~Q\xa36=\xdc\xf9\xec\x9d\xb4\x15BV\x94\xc3u~b\x14\x01\x8c\xe8p\x18'

In [23]:
shared_secret == the_same_shared_secret

True

## Alice Sends a Message to Bob

In [24]:
# We can use symmetric encryption now, since each principal has the same key
encryption_key = shared_secret
encryption_key

b'L\xd8\x8f\xc2\xe2\x1e\xddE~Q\xa36=\xdc\xf9\xec\x9d\xb4\x15BV\x94\xc3u~b\x14\x01\x8c\xe8p\x18'

In [25]:
plain_text = b'We choose to go to the Moon in this decade and do the other things, not because they are easy, but because they are hard; because that goal will serve to organize and measure the best of our energies and skills, because that challenge is one that we are willing to accept, one we are unwilling to postpone, and one we intend to win, and the others, too.'
plain_text

b'We choose to go to the Moon in this decade and do the other things, not because they are easy, but because they are hard; because that goal will serve to organize and measure the best of our energies and skills, because that challenge is one that we are willing to accept, one we are unwilling to postpone, and one we intend to win, and the others, too.'

In [26]:
f = Fernet(base64.urlsafe_b64encode(encryption_key))
cipher_text = f.encrypt(plain_text)
cipher_text

b'gAAAAABnyKK3-ql1EP0vzgPabtdgOPQg_gGvyZjgdY5Oh7rwKPec6rDIy1llOWnuDCOJMnpien4XDgkow6bjNZfz-uM7GgdVLNqF6iS7bDHLbsUpYT-jADwLpGjOUzS2QrzrUaUlo8m7NM6ea4TOogAWeI3YEH5IeowAfZt6ynewS9VBSF07vl_8dc1Udt76vt2NGlc0fKEJ8H6oTbHJ5KsbXaz2ZX-2r-EPuqpmsBxArjUQUXzuVbnMGQGGN4VOKL33Vw_eNjJWVD7ZjLJwLom_y645U4DdaFxUbQlViOJn7yron0FMIrVODop7UQeCxfJT0FS8KwU8-7-4idxwiG0q0ShXvwWJYyndP13-J-oDNA19Irc1UKGNVp4tvhthhruD4nXQL1SJ0zR0iqyuNkdaHSdF1cJaipe9eGT6YTK-INsTIr6Q2JnEpEuMOyhZLywndWVuXsgJYP1cTdEKg4uSSuKkG_pQXaV6iOOnj5M_z2C6Bed3sC2kOmslz6mBH4DbCxSA5AHdAqrNyWUFYwYGtjABFNcmiHFFdx2EpTk8xfT9mhfaqS8='

## Forward and Backward Secrecy
In the approach above, the same shared secret is used each time to encrypt the data. This means that the encryption is only as good as the key protection. If a bunch of cipher text transmitted in public that was enciphered with the same key, then all the data is compromised if the key is cracked. To reduce this risk, ephemeral keys should be used. This mean each piece of cipher text should be encrypted with a unique and non-repeated key that's never saved. 

The idea is that future security incidents don't compromise existing data.
Here's a short article that explains the concept:
https://www.thesslstore.com/blog/perfect-forward-secrecy-explained/

A simple example generating an ephemeral key exchange and key derivation function gives secrecy.

Assume the first key Private key was loaded from disk (and could be discovered).


In [27]:
# Generate an ephemeral private key for Alice
e_private_alice = X25519PrivateKey.generate()
e_private_alice

<cryptography.hazmat.bindings._rust.openssl.x25519.X25519PrivateKey at 0x180ee612f70>

In [28]:
# Extract the public portion of the key
e_public_alice = e_private_alice.public_key()
e_public_alice_bytes = e_public_alice.public_bytes(
     encoding=serialization.Encoding.PEM,
     format=serialization.PublicFormat.SubjectPublicKeyInfo,
)
e_public_alice_bytes

b'-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VuAyEABgXfsxB/myQv2c8qaOPCP7vA8VaJHIJ1uw40YrgMJCs=\n-----END PUBLIC KEY-----\n'

In [29]:
# Generate an ephemeral private key for Bob
e_private_bob = X25519PrivateKey.generate()
e_private_bob

<cryptography.hazmat.bindings._rust.openssl.x25519.X25519PrivateKey at 0x180ee613150>

In [30]:
# Extract the public portion of the key
e_public_bob = e_private_bob.public_key()
e_public_bob_bytes = e_public_bob.public_bytes(
     encoding=serialization.Encoding.PEM,
     format=serialization.PublicFormat.SubjectPublicKeyInfo,
)
e_public_bob_bytes

b'-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VuAyEAbrD+Rd0tF9nY8A5o1v7nkrhDbf1KKz7F6Zy6rHfzX0o=\n-----END PUBLIC KEY-----\n'

In [31]:
# Alice creates a symmetric cipher based on the shared secret
f_alice = Fernet(base64.urlsafe_b64encode(shared_secret))
f_alice

<cryptography.fernet.Fernet at 0x180ee402e90>

In [32]:
# Alice encrypts a 32 byte random salt value and the ephemeral public key
salt = os.urandom(32)
cipher_text = f.encrypt(salt + e_public_alice_bytes)
cipher_text # This gets sent to Bob

b'gAAAAABnyKMNh29nuugeLjcGJzOqNxJVW9kewGQjVQdU72gqrA1-p4Q3IheknwU0EKf1ztSMovIHOcB7PTMNr-EmO1WIkQ_gBYDco4FuHtJAbVGau2kYSpebZFbrEI3U08SWM5pyOP7WmbYXFspgq-S4qDyvKOa0k1cK-trwxYLXJC0Bf-PZEhNTDIHUB60eVot2dcx1YVc6qNhXuPNgqFzFw60bK3wFhWnm_gTyZzAezpPwU2iNa7VShux0prlFzhA8R8EmTHWBS_UwvWRxk_Ze8gKUt0UZag=='

In [33]:
# Bob has the same shared secret, so he can decrypt the message
f_bob = Fernet(base64.urlsafe_b64encode(shared_secret))
f_bob

<cryptography.fernet.Fernet at 0x180ee65f390>

In [34]:
#Decrypt the message from Alice and extract the key and salt
message_from_alice = f_bob.decrypt(cipher_text)
salt_from_alice = message_from_alice[:32]
salt_from_alice

b"\xc4,\x0cKhb\xe3N\xf70\xf8\x89r7\xfb\x00\xb1\xf8\x9aA\x04\x16\x84\xc2\xf69\xbc\x1f'\x06\x07d"

In [35]:
# Bob needs to extract the PEM key from Alice
pem_key_from_alice = message_from_alice[32:]
pem_key_from_alice

b'-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VuAyEABgXfsxB/myQv2c8qaOPCP7vA8VaJHIJ1uw40YrgMJCs=\n-----END PUBLIC KEY-----\n'

In [36]:
#Bob loads the pem key into memory and uses his private key in a key exchange
e_pub_key_from_alice = load_pem_public_key(pem_key_from_alice)
e_pub_key_from_alice

<cryptography.hazmat.bindings._rust.openssl.x25519.X25519PublicKey at 0x180ee6130b0>

In [37]:
#Bob computes the shared secret based on Bob's ephemeral private key
# and Alice's ephemeral public key
ephemeral_shared_secret = e_private_bob.exchange(e_pub_key_from_alice)
ephemeral_shared_secret

b'\xf8\x06\xf1\xb24\xcc:\x04\xd9\xb8\x93i\xe9\xd5\xc1B|\x0b\xb1\xc3;\xa5\x8d\x16L\xb9\x91\x80<\xc7\x80y'

In [38]:
# Bob needs to send Alice his ephemeral public key. 
# We'll augement the public key with the salt value so Alice know's it's Bob
cipher_text_for_alice = f_bob.encrypt(salt_from_alice + e_public_bob_bytes)
cipher_text_for_alice

b'gAAAAABnyKM8AXktH8x-Y-NPijLL8MSz1ADziG4PbAeX5LRvxSnSDkuIIPMH1cAyoAWksfHW-LjaykrzkiGpKM9XWVawgD2ChnoL10k4iVaspy56J0PVxs9SIN-S1iBZddJN0jbdXeEZybwvip_-lR7yxaWkciDuU_3ZZV0F5GUHQVDG7WztMVrjLbWh2n7eNB8FIBZdZHZvyQYRbCl7Ks3ZGLia2r6DvmslsZmbINUGCPp0HGLsDq1soyrhbGU33A1eqcbH4hO5_kIUG7G7IwyVxtYDhmH_Hw=='

In [39]:
# Alice decrypts the message from Bob and verifies the salt
message_from_bob = f_alice.decrypt(cipher_text_for_alice)
salt_from_bob = message_from_bob[:32]
salt == salt_from_bob # This compares the original salt

True

In [40]:
#Alice extracts the PEM key from Bob's decrypted message
e_pem_from_bob = message_from_bob[32:]
e_pem_from_bob

b'-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VuAyEAbrD+Rd0tF9nY8A5o1v7nkrhDbf1KKz7F6Zy6rHfzX0o=\n-----END PUBLIC KEY-----\n'

In [41]:
#Alice loads the pem key into memory and uses her private key in a key exchange
e_pub_key_from_bob = load_pem_public_key(e_pem_from_bob)
e_pub_key_from_bob

<cryptography.hazmat.bindings._rust.openssl.x25519.X25519PublicKey at 0x180ee6131f0>

In [42]:
#Alice computes the shared secret based on Alice's ephemeral private key
# and Bob's ephemeral public key
ephemeral_shared_secret_alice = e_private_alice.exchange(e_pub_key_from_bob)
ephemeral_shared_secret_alice

b'\xf8\x06\xf1\xb24\xcc:\x04\xd9\xb8\x93i\xe9\xd5\xc1B|\x0b\xb1\xc3;\xa5\x8d\x16L\xb9\x91\x80<\xc7\x80y'

In [43]:
# Bob and Alice's keys match
ephemeral_shared_secret_alice == ephemeral_shared_secret

True

In [44]:
# Another security measure is for each to derive a new key based on this secret
# We'll use HMAC based Extract and expand key derivation function
from cryptography.hazmat.primitives.kdf.hkdf import HKDF
from cryptography.hazmat.primitives import hashes

In [45]:
#Bob computes the session key
hkdf = HKDF(
        algorithm=hashes.SHA256(),
        length=32, 
        salt=salt_from_alice, # This salt must be shared
        info=b'Ephemeral Key', #This can be anything
    )
session_key_bob = hkdf.derive(ephemeral_shared_secret)
session_key_bob

b'\xe8"\x9c\x00\x0c\xedO&\xe8Kf\xdb\xda#\x83\xaa\n\xd1\xd7\xec\x82S\xf6\x1fH\xe3`\xd6\x9d\xf8\xfd"'

In [46]:
#Alice computes the session key
hkdf = HKDF(
        algorithm=hashes.SHA256(),
        length=32, 
        salt=salt, # This salt must be shared
        info=b"Ephemeral Key", #This can be anything, so long as it matches
    )
session_key_alice = hkdf.derive(ephemeral_shared_secret_alice)
session_key_alice

b'\xe8"\x9c\x00\x0c\xedO&\xe8Kf\xdb\xda#\x83\xaa\n\xd1\xd7\xec\x82S\xf6\x1fH\xe3`\xd6\x9d\xf8\xfd"'

In [47]:
session_key_alice==session_key_bob

True

In [48]:
# Setup Alices's encryption engine
f_session_alice = Fernet(base64.urlsafe_b64encode(session_key_alice))
f_session_alice

<cryptography.fernet.Fernet at 0x180ee63a520>

In [49]:
# Setup Bob's encryption engine
f_session_bob = Fernet(base64.urlsafe_b64encode(session_key_bob))
f_session_bob

<cryptography.fernet.Fernet at 0x180ee63a780>

In [50]:
plain_text = b"Four score and seven years ago our fathers brought forth upon this continent, a new nation, conceived in Liberty, and dedicated to the proposition that all men are created equal.\nNow we are engaged in a great civil war, testing whether that nation, or any nation so conceived and so dedicated, can long endure. We are met on a great battle-field of that war. We have come to dedicate a portion of that field, as a final resting place for those who here gave their lives that that nation might live. It is altogether fitting and proper that we should do this."
plain_text

b'Four score and seven years ago our fathers brought forth upon this continent, a new nation, conceived in Liberty, and dedicated to the proposition that all men are created equal.\nNow we are engaged in a great civil war, testing whether that nation, or any nation so conceived and so dedicated, can long endure. We are met on a great battle-field of that war. We have come to dedicate a portion of that field, as a final resting place for those who here gave their lives that that nation might live. It is altogether fitting and proper that we should do this.'

In [51]:
# Bob encrypts and sends the message
cipher = f_session_bob.encrypt(plain_text)
cipher

b'gAAAAABnyKNsK7Jyz5GwMM1cf4G6MU4sn0UJXLjlSn-7MImsEKiLBIiHnSKdD3WZhq8uDQD8aYQGZGdHnHNFij9FqeikRXiC9-R0LhbddKi8FUu8YGpQTpgpmbO8lp-3BnSDsyFpm3Guf8XsBW9cs6Qae78WDwrHQp8G4WEKjIoTuH5OXel6EEEpquE-Bp3PvjkAnrmPo6yq3nZoVwXqrlX76K5TGnlY9hB_8hHKXvcC8w2RtSVyUleMb06a3S5p9cQMuCLCzDpjt_j-FVZaeSq_9aXBad89hj1xZOejpViPAgc7p_SBgHGxv9Go2fGilBuB4Mm7OkS4scmRlTb0yNHYks1jHqCFrTcNGpCYKr6CMzZvml7HZzOimAsvNlt60fLlVu-Sd48PD0pIF-J5T_wVyrOt1FTb6CqwYvEc1Qw2ZpqYJ5aLmP5RLdqbLNi7-ks8VjpG8NC-o2UDnoeJ9JDNUdObTD3Kh-WjwQWou38AZRZjxRDnJhXEP697LrJr9yD0k2RdlKYxuLFpbcgABdRn3sKLTXgW-MwSLzqRWvIY_ehbgcSqW7qNIBblbUuy8ymOmxzwWytpDLM3gHqkxLmWk2AHAg5-ovfL--igMI_rFME4ZW01C15V9nTTuxYNm-9wvSH6RSpizkMvDxBnmG3V4oiD2ZAw78UN2PwxBWioDE_gnFsEbxj2lZwfim9QwgwQUZfgofW4vAYcaN5CJlUW-iKtgcWCDssk3jFfcX_Q9QXKZ7x9NmSIivq4psvF7WuMO5ixXeJiv318-Ej-VZEyuqSg-HK1dCqv_SB8nz6YdChfc15Djq4='

In [52]:
# Test that Alice can decrypt Bob's encrypted message
f_session_alice.decrypt(cipher)

b'Four score and seven years ago our fathers brought forth upon this continent, a new nation, conceived in Liberty, and dedicated to the proposition that all men are created equal.\nNow we are engaged in a great civil war, testing whether that nation, or any nation so conceived and so dedicated, can long endure. We are met on a great battle-field of that war. We have come to dedicate a portion of that field, as a final resting place for those who here gave their lives that that nation might live. It is altogether fitting and proper that we should do this.'

## Summary
We showed how to exchange keys with ECHD.

We also generated ephemeral keys and did a key exchange with forward and backwards secrecy. The keys were short lived and random.

Where do we go from here? There are some intriguing protocols that are designed to enhance the forward and backward secrecy. For example, the double-ratchet algorithm used by Signal. https://signal.org/docs/specifications/doubleratchet/.

Keep in mind the protocol in here has not been vetted, it is for illustration only.