OWIN Middleware for the Diffie–Hellman Key Exchange

Summary

The Diffie-Hellman key exchange algorithm, commonly used in SSH, secures the transport of data between two endpoints by generating a run-time key without sending the key over the wire.  This simple method provides a secure way to encrypt information beyond the known TLS/SSL methods and its vulnerabilities.  A open source library, FWF.KeyExchange.Owin, provides a simple way to extend any OWIN web application and provide a secure channel of communication without configuration overhead or manual key sharing.

TLS/SSL is not enough

Man-in-the-middle attacks along with recent known vulnerabilities of TLS/SSL, such as POODLE and DROWN, has highlighted the flaws within certificate transport security over the public Internet and internal enterprise systems.  For securing any enterprise system, both internal and publicly available systems, supplemental encryption is required to ensure that data is protected over-the-wire.

While there are an infinite amount of ways to provide custom encryption implementations, the desire to not reinvent the wheel here is important.  We only need to look at the methods used by other non-HTTP connections to determine ways to use robust and proven standards for securing a connection.  Enter the Diffie-Hellman algorithm.

Diffie-Hellman Key Exchange

Diffie–Hellman key exchange (D–H) is a specific method of securely exchanging cryptographic keys over a public channel and was one of the first public-key protocols as originally conceptualized by Ralph Merkle and named after Whitfield Diffie and Martin Hellman.  D–H is one of the earliest practical examples of public key exchange implemented within the field of cryptography.

Using modular arithmetic, two parties can can exchange public key information to derive a shared secured key without transporting the key between the two endpoints.  The graphic to the right depicts the public and secret information highlighting the difficulty using paint colors, demonstrating that once paint has been mixed it is very difficult to determine the original color.

Secure Transport over the Wire

By leveraging the Diffie-Hellman algorithm, a run-time symmetric key is generated between two endpoints in order to provide a secure transport of messages.  This only needs to be done once at the start of the connection and would greatly benefit any long-running open connection, such as API connections, messaging systems, etc.

Both the calling application and destination application would need a basic exchange logic to perform the key exchange and allow for future data to be secured.  To demonstrate this functionality, Framework Factory has created OWIN middleware components to provide this behavior.

OWIN Middleware

OWIN middleware allows the seamless extension of web applications with behavior such as authentication/authorization.  The FWF.KeyExchange.Owin libraries provide a basic implementation that allows any OWIN application to inherit the key exchange behavior described above with little effort.

FWF.KeyExchange.Owin Usage

  1. Install via NuGet
  2. Add the UseKeyExchange method to your IAppBuilder setup
// Use KeyExchange middleware to handle the key exchange
var bootstrapper = new FWFKeyExchangeBootstrapper();
appBuilder.UseKeyExchange(bootstrapper);
  1. Use the KeyExchangeHttpClient component to make HTTP(s) calls using the shared encryption key
// Send the message to remote endpoint once the key exchange
// has taken place and the message is encrypted over the wire
using (var http = new KeyExchangeHttpClient(bootstrapper))
{
    http.SendPayload(rootUrl, plainTextMessage);
}

Future Development

JavaScript client

  • The current implementation provides a C# HTTP client class to provide the key exchange at start up.  The simplicity of the algorithm would allow for a client-side JavaScript to provide the same behavior.

Acknowledgements

  • Thanks to Josh Patterson for the inspiration and assistance for this article.

 

Leave a Reply

Your email address will not be published. Required fields are marked *