Q

# Diffie-Hellman vs. RSA: Comparing key exchange algorithms

## See which encryption method uses digital signatures, symmetric key exchanges, bulk encryption and much more in this Diffie-Hellman vs. RSA showdown from expert Michael Cobb.

Do you know of any algorithms that merge or combine the RSA and Diffie-Hellman algorithms? Would there be any benefit...

in doing so? If this is not possible, is one better than the other?

Let me answer this question by first explaining Diffie-Hellman vs. RSA algorithms. Diffie-Hellman is a key exchange algorithm and allows two parties to establish, over an insecure communications channel, a shared secret key that only the two parties know, even without having shared anything beforehand.

The shared key is an asymmetric key, but, like all asymmetric key systems, it is inherently slow and impractical for bulk encryption. The key is used instead to securely exchange a symmetric key, such as AES (Advanced Encryption Standard) used to encrypt subsequent communications. Unlike Diffie-Hellman, the RSA algorithm can be used for signing digital signatures as well as symmetric key exchange, but it does require the exchange of a public key beforehand.

RSA and Diffie-Hellman are both based on supposedly intractable problems, the difficulty of factoring large numbers and exponentiation and modular arithmetic respectively, and with key lengths of 1,024 bits, give comparable levels of security. Both have been subjected to scrutiny by mathematicians and cryptographers, but given correct implementation, neither is significantly less secure than the other.

The nature of the Diffie-Hellman key exchange does make it susceptible to man-in-the-middle attacks since it doesn't authenticate either party involved in the exchange. This is why Diffie-Hellman is used in combination with an additional authentication method, generally digital signatures. When using RSA, a 1,024-bit key is considered suitable both for generating digital signatures and for key exchange when used with bulk encryption, while a 2048-bit key is recommended when a digital signature must be kept secure for an extended period of time, such as a certificate authority’s key.

Getting back to the question at hand, you can’t really merge the two algorithms because of the unique attributes and complexity that each one has. Most encryption systems offer a choice between them rather than combining them. SSL 3.0 supports a choice of key exchange algorithms, including the RSA key exchange when certificates are used, and Diffie-Hellman key exchange for exchanging keys without certificates and without prior communication between client and server.

This was last published in March 2011

## Content

Find more PRO+ content and other member only offers, here.

#### Have a question for an expert?

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

### 1 comment

Send me notifications when other members comment.
Diffie-Hellman is anonymous key exchange. RSA is an integrity key exchange. RSA confirms the server knows the private exponent to a public exponent/modulus.

Diffie-Hellman requires the exchange of two clear text keys, a prime number and a generator. Each server generates a random number, calculates (G^random number) mod P and exchanges the answer to that. Then they calculate (other computer's answer ^ My Random Number) mod P. This answer will be the same on both computers. Very simple.

With RSA, two numbers are exchanged, an exponent (generally 65537 is chosen) and a modulus. The server's exponent (private exponent (the calculation for this exponent is a function of two primes and the public exponent; modulus is always prime1 * prime2) is hidden (they share the modulus). The client simply sends (Data ^ exponent) mod modulus = cipher message. On the server side, data can be recovered by data = (cipher message ^ private_exponent) mod modulus.

With Ephemeral Diffie-Hellman, the server's exchanged key is singed by RSA (see SHA-256/PKCS5Padding/Cipher Block Chaining). and sent over the wire in plaintext. This guarantees that the server owns the Private Exponent (Message ^ Private Exponent) mod P which then can be decrypted by (Cipher Message ^ Public Exponent) Mod P, ran against the same algorithm, and compared in plain text on the client side. By utilizing Ephemeral Diffie-Hellman, you maintain the benefit of Anonymous Key Exchange while preventing man-in-the-middle attacks.

Cancel

## SearchCloudSecurity

• ### How to effectively manage the cloud logs of security events

Cloud logs of security events produce an abundance of data. Expert Dave Shackleford discusses how to filter through it and get to...

• ### How the Flip Feng Shui technique undermines cloud security

The Flip Feng Shui attack against hypervisors could have both short and long-term effects on enterprises. Expert Ed Moyle ...

• ### How cloud endpoint protection products benefit enterprises

Cloud endpoint protection products are outpacing standard endpoint protections. Expert Frank Siemons discusses the evolution of ...

## SearchNetworking

• ### Cumulus NOS, Edgecore switch bundle unlikely to beat incumbent vendors

Analysts are skeptical of networking supplier Cumulus's entry into the hardware business. The vendor is selling and supporting an...

• ### Trigger gets props among hot next-gen network automation tools

This week, bloggers look into network automation tools, incident response, and the new reality of MPLS and SD-WAN.

• ### Enterprises finding high value in 25 GbE, 100 GbE switches

Research finds shipments of 25 GbE and 100 GbE switches are outpacing 10/40 GbE hardware, as companies find more value in the ...

## SearchCIO

• ### Oculus trial: Even if Facebook loses, VR to prevail

The outcome of the Oculus trial is up in the air, but VR is gaining ground. Also in Searchlight: Oracle faces discrimination suit...

• ### Securing a board appointment: CIO requirements and benefits

A corporate board appointment can give a CIO invaluable perspective on running a business, but to get one, deep expertise and a ...

• ### PrivacyCon: Tech's assault on (obliteration of?) consumer privacy

The attack on consumer privacy by new tech is huge and growing, enabled by consumers and greased by profit; in other words, a ...

## SearchConsumerization

• ### Android, Windows tablets from HP take aim at business users

HP released a new line of tablets targeting business users. The HP Pro Slate 8 and Pro Slate 12 run Android and cost \$449 and ...

• ### Microsoft to lay off 18,000, Nokia X moves to Windows Phone

Microsoft will lay off 18,000 people over the next year while the Nokia X line of Android smartphones, which was unveiled earlier...

• ### Microsoft Surface Pro 3 vs. Microsoft Surface Pro 2

Surface Pro 2 and Surface Pro 3 are different enough that Microsoft is keeping both on the market as competing products. Which ...

## SearchEnterpriseDesktop

• ### Prepare for the challenging move to Windows 10

Organizations can cling to past versions of Windows as long as they want. But, eventually, they will have to accept Windows 10, ...

Before making a move to Windows 10, IT admins need to know how licensing, hardware and management are different. They also must ...

• ### Give Windows 10 disk space a clean sweep

There are multiple ways to keep Windows 10 running smoothly, such as clearing the clutter of old files and applications. A more ...

## SearchCloudComputing

• ### Words to go: Google cloud storage services

When it comes to cloud storage, going in blind will cause inefficiency and high costs. Familiar yourself with these key Google ...

• ### Cloud, IoT to drive enterprise IT trends in 2017

Cloud computing has evolved quite a bit in the last few years, but it still has far to go. Technologies such as big data, ...

• ### Build cloud web services with microservices

Building cloud web services with microservices provides benefits, such as scalability, and allows enterprise apps to access new ...

## ComputerWeekly

• ### BT draws fire over broadband price hike

Consumer broadband groups have hit out after BT put up its broadband prices

• ### Pay rises tipped for IT security and data analysis roles in 2017

Increase in high-profile data breaches and the need for data insight are seen as contributory factors in salary rises for IT ...

• ### Financial markets regulatory outlook 2017

Financial services companies will face new challenges from innovative financial technology (fintech) companies, regulatory ...

Close