The Diffie-Hellman key exchange also is known as D-H which was subsequently conceptualized by Ralph Merkle and later published by Whitfield Diffie and Martin Hellman. It has since been a popular cryptographic algorithm. It facilitates Internet protocols to agree upon shared key(Symmetric) and negotiate a secure communication channel. This exchange algorithm is used by many protocols, namely: HTTPS, SSH, IPsec, SMTPS, and all protocols reliant on TLS.
Figure 1.0 Illustrates a passive attacker(observer)
Diffie-Hellman Encryption is based on Modulo Exponentiation and doesn’t prove who you share the key with, just that the key isn’t known by anyone else.
Attacks on Diffie-Hellman
- MitM or Logjam attack against the TLS protocol
- Threats from state-level adversaries
To address the TLS issues, in a post by WEAKDH(n.d), we do the following:
- Disable Export Cipher Suites
- Deploy (Ephemeral) Elliptic-Curve Diffie-Hellman (ECDHE)
- Use a Strong, Diffie Hellman Group
Other solutions include:
- Making sure your browser is up-to-date as browser vendors improve their security against Logjam attacks
- Ensure that the TLS libraries reject DH lower than 1024-bit
- Use QUALYS SSL LABS(https://www.ssllabs.com/ssltest/analyze.html) to test your web server
Sample DH Calculation
Step in conduction the DH Encryption, how it works.
- Alice(R1) and Bob(R2) have to agree on a prime number p and a base value g.
- Here, p = 23 and g = 5
- Alice chooses a secret number, a, and sends Bob A = ga mod p.
- Here, a = 6
- A = 56 mod 23
- A = 15,625 mod 23
- A = 8
- Bob chooses a secret number, b, and sends Bob B = gb mod p.
- Here, b = 15
- B = 515 mod 23
- B = 30517578125 mod 23
- B = 19
- Alice computes the final secret shared number s = Ba mod p.
- s = 196 mod 23
- s = 47,045,881 mod 23
- s = 2
- Bob computes the final secret shared number s = Ab mod p.
- s = 815 mod 23
- s = 35,184,372,088,832 mod 23
- s = 2
- Alice and Bob now shares a secret key, s = 2, that can’t be derived from the public information
Proving the solution
- Alice ≡ Bob
- K = gab mod p
- K = 5(6)*15 mod 23 ≡ 5(15)*6 mod 23
Red denotes publicly visible values
Green denotes private values
Figure 1.1 Illustrates an active attacker(MitM)
The legality and exploitation of international MiTM attacks
Cybercrimes have the potential to erode confidence and trust in the economy thereby impairing national Development. This, however, is not prevalent in Jamaica and even so the government, which is the most likely organization to be attacked have encountered some in recent years. The government information and financial sector has seen a rise in a number of attempted attacks and have started to put in place units, acts, policies, and mitigations.
The United Nations Office of Drugs and Crime (UNODC) estimates that identity theft is the most profitable form of cybercrime, generating perhaps US$1 billion per year in revenue on a global basis. In an article by the Jamaica Observer(2015), a Global Security Strategist and Threat Researcher, David Manky, made a presentation to some of the country’s Top Investors and Corporations. In his presentation, he highlighted that “We must remember that cybercrime has no boundaries, so Jamaica is not immune,”.
This statement holds true as the nation has embarked on a path of using technology to further communicate with clients, customers and business to business relations. David had also expressed that “The global problem of cybercrime is pegged anywhere between $400 billion and $600 billion”. An article in The Gleaner(2015), “Following the St Vincent attack, for example, the St Lucia government has said it is strengthening its cyber-security and is encouraging collaboration at the national, regional and international levels.”
Figure 1.0 A Cyber Security Report submitted by CFCU
In an attempt to mitigate same, the Jamaican Government as written a Nation Cyber Security Strategy (NCSS) which gave rise to the Communication Forensics and Cybercrime Unit (CFCU), Major Organised Crime and Anti-Corruption Agency (MOCA), Cyber Incident Response Team (CIRT), National Cyber Security Task Force (NSTF), The Cybercrimes Act, 2015 and the inducting of the these entities in the Ministry with responsibility for Information and Communications Technology (ICT).
Figure 1.1 A Cyber Security Report submitted by CFCU
Has part of this initiative the government has established a frame built around the following key areas according to the Government of Jamaica (2014):
- Technical Measures
- This seeks to ensure that network infrastructure and in particular critical infrastructure systems are resilient to cyber threats.
- Human Resource and Capacity Building
- recognizes that establishing and sustaining a pool of trained professionals in Information Security will assist in ensuring there is a national capacity to detect, respond and recover from cyber incidents as well as promote local research and development in Information Security in Jamaica.
- Legal and regulatory
- efforts will be focused on examining and undertaking reform in the legislative landscape to promote a healthy and safe business environment where businesses can thrive.
- Public education and awareness
- seeks to develop targeted campaigns to facilitate each stakeholder group’s understanding of the potential threats and risks they would likely face and appropriate action they can take to protect themselves.
Stated in The Cybercrimes Act Bill of 2015, for first offenders, there will be a fine not exceeding JMD$4 million or imprisonment for a term not exceeding four years, or both, the previous Bill stood at JMD$2 million or imprisonment for a term not exceeding two years, or both.
Figure 1.2 A Cyber Security Report submitted by CFCU
The ministry of Science Energy and Technology(2016), reported that the Jamaica Information Service website suffered as a DoS attack. They were able to conduct recovery procedures within four hours. This attack revealed not just the lack of appropriate security policy within the government, but the existence of outdated IT systems and software(legacy) application still being used within the system that needs to govern.
Corporate/Industry Espionage/Cyber Exploitation
Presently there have been no known causes of Corporate, Industry Espionage or Cyber Exploitation within Jamaica, but with the growth in the usage of the internet within the country that is soon to be expected. Having the Bill passed before any of these are attacks energies, somewhat eliminate some of the detrimental occurrences that could transpire whether within the government or across the country.
Mitigations and preventions
Economically, cybercrimes have not prevalent impacted Jamaica. Now that we are equipped with the requisite knowledge to have embarked on a journey of investment in the protection of data across the spectrum of the country. Personally, been protected is a three-step process:
- Implement Security Enrich Applications
- Keep abreast of security trends and threats
- Implement monitoring
Having this step I think is the perfect security cycle for protecting one’s system. It also ensures that one stays abreast of changes in the different technological silos.
Based on the research conducted several global research studies have clearly established the link between ICT use and GDP growth. The World Bank has reported that the development of broadband on emerging economic markets is prominent than for higher-income generated countries and this will potentially stem higher growth effect than other ICT. Additionally, research also suggests that broadband access and speed positively affect household incomes and the performance of children at school.
Government of Jamaica (2014) National Cyber Security Strategy. The Ministry of Science Energy and Technology [Online]. Available at: http://mset.gov.jm/sites/default/files/pdf/Jamaica%20National%20Cyber%20Security%20Strategy.pdf (Accessed: Aug 30, 2016).
Henry, B. (2015) House passes Cybercrimes Act; fine for breaches moves to $4 million, Available at: http://www.jamaicaobserver.com/news/House-passes-Cybecrimes-Act–fine-for-breaches-moves-to–4-million_19233622 (Accessed: Aug 29, 2016).
Jamaica Observer (2015) Jamaica urged to increase cyber security focus, Available at: http://www.jamaicaobserver.com/mobile/news/Jamaica-urged-to-increase-cyber-security-focus_19234305 (Accessed: Aug 29, 2016).
The Gleaner (2011) JCF Steps Up Fight Against Cybercrimes, Available at: http://jamaica-gleaner.com/gleaner/20110310/news/news5.html (Accessed: Aug 29, 2016).
The Gleaner (2015) David Jessop | New Threats To Caribbean Cyber Security, Available at: http://jamaica-gleaner.com/article/business/20150816/david-jessop-new-threats-caribbean-cyber-security (Accessed: Aug 29, 2016).
Weakdh (n.d) Guide to Deploying Diffie-Hellman for TLS, Available at: https://weakdh.org/sysadmin.html (Accessed: Aug 28, 2016).