2

I've found a post here: Small subgroup confinement attack on Diffie-Hellman which says we can pick $k$ in this way: enter image description here

And, as we know, $2$ will always be a prime-factor of $p−1$, therefore there will be a subgroup with two elements, that don’t generate anything besides themselves. Obviously the neutral element $1$ is in that subgroup, the other element is $p−1$; In this way, can we just pick $k = {(p-1) \over 2}$ as $w=2$; then, Eva can make sure that the so called shared key must be $1$ or $p-1$?

By the way, I really do some test and I find the result of shared key is really $1$....

But as far as I know, DH is really a secure algorithm, so I think I must have made a mistake; can anybody tell me where I'm mistaken?

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
Shi Tang
  • 21
  • 2

1 Answers1

1

Diffie Hellman is vulnerable to an active man in the middle (MITM) attack, and this is one version of such an attack, since Eve is modifying the transmitted values and forwarding them on.

See for example the question and answers here for MITM attacks on DH and possible countermeasures.

kodlu
  • 25,146
  • 2
  • 30
  • 63