Diffie-Hellman key exchange is a method for securely agreeing on a shared session key between two communication partners over a potentially insecure transmission medium. The method is used for numerous cryptographic protocols on the Internet.
What is Diffie-Hellman key exchange?
Diffie-Hellman key exchange is named after its inventors, Whitfield Diffie and Martin Hellman. They developed the method in 1976. It was published under the name x1x2. It is a method for securely agreeing on a shared key between two communication partners over a potentially insecure medium such as the Internet.
Strictly speaking, no key exchange takes place because the shared session key is never transmitted. Keys are computed using other transmitted information. For external attackers who eavesdrop on the medium, calculating the shared session key is mathematically impossible with reasonable effort.
Once the communication partners have agreed on a common session key, they use it to encrypt and decrypt the data. Diffie-Hellman key exchange is often used in conjunction with digital signatures. The signatures provide authentication of the identities of the communication partners.
Typical applications of Diffie-Hellman key exchange are AES (Advanced Encryption Standard), DES (Data Encryption Standard), SSH2 (Secure Shell 2), OpenSSH, IPSec (Internet Protocol Security), and TLS (Transport Layer Security).
The fundamental problem of a key exchange over interceptable media
If two participants use the same secret key for encryption and decryption, it must be ensured that it is known to both. For this purpose, it must be securely exchanged or agreed upon prior to communication. The security of the encryption process stands and falls with the secrecy of the key. A tap-proof medium must be used to exchange the key.
Manual procedures for key exchange are costly and confusing. If a medium can be intercepted, the key used must not be transmitted via this medium under any circumstances, since attackers could intercept the key and use it for encryption and decryption. The Diffie-Hellman method solves the problem of exchanging keys over a potentially insecure medium.
Scientists Whitfield Diffie and Martin Hellman have demonstrated that a shared key can be securely agreed upon over an insecure medium.
The Diffie-Hellman key exchange process
The Diffie-Hellman key exchange is based on a complex mathematical procedure. The following is a highly simplified description of the most important steps in the key agreement process:
- Two communication partners agree on a large public prime number p and a smaller number g
- At the same time, both choose a random number x and y, respectively. These are personal keys that are not known to the other communication partner. x and y are never exchanged between the communication partners
- From their random number and the two public numbers both calculate a new number A and B. These are quasi public keysthe numbers A and B are exchanged by the two communication partners
- From the numbers A and B they can calculate the common key k with their random numbers x and y respectively
- The participants can then use the key k to encrypt and decrypt the data.