Diffie-Hellman key-exchange is a specific method of securely Key-Exchange over a public channel and was one of the first Public Key protocols as originally conceptualized by Ralph Merkle.

Diffie-Hellman key-exchange establishes a shared secret between two parties that can be used for secret communication for exchanging data over a public network.

The following conceptual diagram illustrates the general idea of the key exchange by using colors instead of very large numbers.

Illustration of the Diffie–Hellman Key Exchange

The process begins by having the two parties, Alice and Bob, agree on an arbitrary starting color that does not need to be kept secret (but should be different every time).

In this example the color is yellow. Each of them selects a secret color–red and aqua respectively–that they keep to themselves.

The crucial part of the process is that Alice and Bob now mix their secret color together with their mutually shared color, resulting in orange and blue mixtures respectively, then publicly exchange the two mixed colors.

Finally, each of the two mix together the color they received from the partner with their own private color. The result is a final color mixture (brown) that is identical to the partner's color mixture.

If another party Eve had been listening in on the exchange, it would be computationally difficult for that Eve to determine the common secret color; in fact, when using large numbers rather than colors, this action is impossible for modern supercomputers to do in a reasonable amount of time.

Diffie-Hellman key-exchange is the Best Current Practice for Key-Exchange.

Diffie-Hellman key-exchange Detail#

Diffie-Hellman key-exchange or "Diffie-Hellman key agreement" is not based on encryption and decryption, but instead relies on mathematical functions that enable two parties to generate a shared secret key for exchanging information confidentially over an insecure channel.

Essentially, each party agrees:

  • on a public value g and a large prime number p .
  • one party chooses a secret value x
  • the other party chooses a secret value y
  • Both parties use their secret values to derive public values, g x mod p and g y mod p,
  • they exchange the public values.
  • Each uses the other party's public value to calculate the shared secret key that is used by both parties for confidential communications.
A third party cannot, in theory, derive the shared secret key because they do not know either of the secret values, x or y .

For Example:

  • Alice chooses secret value x and sends the public value g x mod p to Bob.
  • Bob chooses secret value y and sends the public value g y mod p to Alice.
  • Alice uses the value g xy mod p as her secret key for confidential communications with Bob.
  • Bob uses the value g yx mod p as his secret key.
Because g xy mod p equals g yx mod p, Alice And Bob can use their secret keys with a Symmetric Key algorithm to conduct confidential communications. The use of the modulo function ensures that both parties can calculate the same secret key value, but an eavesdropper cannot. An eavesdropper can intercept the values of g and p , but because of the extremely difficult mathematical problem created by the use of a large prime number in mod p, the eavesdropper cannot feasibly calculate either secret value x or secret value y . The secret key is known only to each party and is never visible on the network.

Diffie-Hellman key-exchange is widely used with varying technical details by Internet security technologies, such as IPsec and TLS, to provide secret Key-Exchange for confidential online communications.

Diffie-Hellman Key-Exchange is one of the earliest practical examples of public Key exchange implemented within the field of cryptography. Traditionally, secure encrypted communication between two parties required that they first exchange keys by some secure physical channel, such as paper key lists transported by a trusted courier.

The Diffie-Hellman key-exchange method allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure channel. This key can then be used to encrypt subsequent communications using a Symmetric Key cipher.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-9) was last changed on 16-Jun-2017 10:23 by jim