I want to use nodeJS as a server side language. NodeJS have crypto module where DiffieHellman is a class. So, I can use this method to generate key and compute key.
But, client also need to create another instance of diffiehellman class. But how to do that? Can I use crypto module on client side? If yes then how, any solution? Here are my client side code…
const crypto = require('crypto'); const express = require('express'); const app = express(); // Generate server's keys... const server = crypto.createDiffieHellman(139); const serverKey = server.generateKeys(); //send p=prime and g=generator to the client
Diffie Hellman is a key exchange algorithm where client and server both generate public and private key, exchange their public key and combine this key with his own private key to generate same secret key.
But, here is a confusion in the implementation. Here is the code…
const crypto = require('crypto'); const express = require('express'); const app = express(); // Generate server's keys... const server = crypto.createDiffieHellman(139); const serverKey = server.generateKeys(); // Generate client's keys... const client = crypto.createDiffieHellman(server.getPrime(), server.getGenerator()); const clientKey = client.generateKeys(); // Exchange and generate the secret... const serverSecret = server.computeSecret(clientKey); const clientSecret = client.computeSecret(serverKey);
First of all, server create an instance of
DiffieHellman class to generate key. But, client need server’s prime (.getPrime()) and Generator (.getGenerator()) to generate another instance of
DiffieHellman class to generate key.
So, server need to pass the value of
server.getGenerator() to the client. What happen if any middle-man-attack rises in this time? Because, if somehow hacker get this two things then they can also generate same secret key. (-_-)
Any solution? Think this system without TLS.
I am using crypto module of node js for exchanging key using diffie-hellman algorithm.
const crypto = require("crypto"); const alice = crypto.createDiffieHellman(512); const aliceKey = alice.generateKeys();
const bob = crypto.createDiffieHellman(alice.getPrime(), alice.getGenerator()); const bobKey = bob.generateKeys(); const aliceSecret = alice.computeSecret(bobKey); const bobSecret = bob.computeSecret(aliceKey);
The above example is taken from node.js documentation as shown the client uses servers prime number for generating the prime number.
my question is how should I securely send the prime number and the other parameter to client over internet? are there any other alternatives?
and another question is that I am generating keys using generate keys function but I have already generated private-key.pem and public-cert.pem file. can I use those if yes then how?, if no then what is difference between those keys?
I understand the Diffie Hellman key exchange. What I don’t understand is the role the server’s private key plays in it.
I’m not talking about the servers generated secret. I understand that purpose quite well. I’m talking about the private key associated with the server’s certificate/public key.
I understand the role of the servers private key in the RSA key exchange but I don’t think the servers private key is needed in the Diffie Hellman key exchange.
If the servers private key isn’t needed in the Diffie Hellman key exchange AND I forced all clients to only use the Diffie Hellman key exchange could I, in theory, delete the servers private key for added security?
I’m the developer for a web application that was recently pen tested. One of the vulnerabilities reported from the pen test is that our server uses an unsafe Diffie-Hellman prime in our key exchange.
I would like to verify this finding. How can I do this?
I am making a chat feature in my app where I want to encrypt it e2ee, but the problem is when I satart to calculate the public key = g^private % n. It takes a decade to get it done. I need to know to simplify it for the cpu.