How Diffie-Hellman Key Exchange can Cause Availability Issues

The Diffie-Hellman key exchange is a cryptographic protocol that allows parties to establish a shared secret over an insecure channel. The security of this key exchange is based on the difficulty of the Discrete Logarithm Problem (DLP) in a given group, such as the multiplicative group of integers modulo a prime number \(p\).

The Diffie-Hellman key exchange is computationally expensive due to the nature of the mathematical operations it involves, particularly the explained modular exponentiation with very large numbers Even with optimized algorithms like square-and-multiply or Montgomery multiplication, which can lead to significant computational effort. The arithmetic operations involved require high-precision arithmetic to handle large numbers, however, standard processors are not designed to handle such large integers directly, so multiple-precision arithmetic libraries are used,

Exploiting the computationally expensive nature of the Diffie-Hellman key exchange protocol an attacker can perform a denial-of-service (DoS) attack by sending arbitrary numbers as public keys to a target server forcing it to generate its public key, validate the peer’s one, and compute the shared secret. All three operations require the computationally complex modular exponentiation which creates an asymmetric resource usage situation, which is the basis for overloading the server’s CPU and rendering it unavailable. The attack is carried out with such a methodology called D(HE)at attack (CVE-2002-20001).