Q
Problem solve Get help with specific problems with your technologies, process and projects.

# Diffie-Hellman vs. RSA: Comparing key exchange algorithms

## See which encryption method uses digital signatures, symmetric key exchanges, bulk encryption and much more in this Diffie-Hellman vs. RSA showdown from expert Michael Cobb.

Do you know of any algorithms that merge or combine the RSA and Diffie-Hellman algorithms? Would there be any benefit...

in doing so? If this is not possible, is one better than the other?

Let me answer this question by first explaining Diffie-Hellman vs. RSA algorithms. Diffie-Hellman is a key exchange algorithm and allows two parties to establish, over an insecure communications channel, a shared secret key that only the two parties know, even without having shared anything beforehand.

The shared key is an asymmetric key, but, like all asymmetric key systems, it is inherently slow and impractical for bulk encryption. The key is used instead to securely exchange a symmetric key, such as AES (Advanced Encryption Standard) used to encrypt subsequent communications. Unlike Diffie-Hellman, the RSA algorithm can be used for signing digital signatures as well as symmetric key exchange, but it does require the exchange of a public key beforehand.

RSA and Diffie-Hellman are both based on supposedly intractable problems, the difficulty of factoring large numbers and exponentiation and modular arithmetic respectively, and with key lengths of 1,024 bits, give comparable levels of security. Both have been subjected to scrutiny by mathematicians and cryptographers, but given correct implementation, neither is significantly less secure than the other.

The nature of the Diffie-Hellman key exchange does make it susceptible to man-in-the-middle attacks since it doesn't authenticate either party involved in the exchange. This is why Diffie-Hellman is used in combination with an additional authentication method, generally digital signatures. When using RSA, a 1,024-bit key is considered suitable both for generating digital signatures and for key exchange when used with bulk encryption, while a 2048-bit key is recommended when a digital signature must be kept secure for an extended period of time, such as a certificate authority’s key.

Getting back to the question at hand, you can’t really merge the two algorithms because of the unique attributes and complexity that each one has. Most encryption systems offer a choice between them rather than combining them. SSL 3.0 supports a choice of key exchange algorithms, including the RSA key exchange when certificates are used, and Diffie-Hellman key exchange for exchanging keys without certificates and without prior communication between client and server.

This was last published in March 2011

## Content

Find more PRO+ content and other member only offers, here.

#### Have a question for an expert?

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

### 1 comment

Send me notifications when other members comment.
Diffie-Hellman is anonymous key exchange. RSA is an integrity key exchange. RSA confirms the server knows the private exponent to a public exponent/modulus.

Diffie-Hellman requires the exchange of two clear text keys, a prime number and a generator. Each server generates a random number, calculates (G^random number) mod P and exchanges the answer to that. Then they calculate (other computer's answer ^ My Random Number) mod P. This answer will be the same on both computers. Very simple.

With RSA, two numbers are exchanged, an exponent (generally 65537 is chosen) and a modulus. The server's exponent (private exponent (the calculation for this exponent is a function of two primes and the public exponent; modulus is always prime1 * prime2) is hidden (they share the modulus). The client simply sends (Data ^ exponent) mod modulus = cipher message. On the server side, data can be recovered by data = (cipher message ^ private_exponent) mod modulus.

With Ephemeral Diffie-Hellman, the server's exchanged key is singed by RSA (see SHA-256/PKCS5Padding/Cipher Block Chaining). and sent over the wire in plaintext. This guarantees that the server owns the Private Exponent (Message ^ Private Exponent) mod P which then can be decrypted by (Cipher Message ^ Public Exponent) Mod P, ran against the same algorithm, and compared in plain text on the client side. By utilizing Ephemeral Diffie-Hellman, you maintain the benefit of Anonymous Key Exchange while preventing man-in-the-middle attacks.

Cancel

## SearchCloudSecurity

• ### SQL injection attacks: How to defend your enterprise

SQL injection attacks threaten enterprise database security, but the use of cloud services can reduce the risk. Here's a look at ...

• ### Cloud security lessons to learn from the Uber data breach

Any organization that uses cloud services can learn something from the 2016 Uber data breach. Expert Ed Moyle explains the main ...

• ### Challenges in cloud data security lead to a lack of confidence

A new study on cloud data security provides insights into the shaken confidence in the cloud. Despite its increased use, payment ...

## SearchNetworking

• ### Cisco revenue turns positive, as software, security sales up

Cisco revenue grew last quarter for the first time in more than two years, due, in part, to rising software sales. But analysts ...

• ### Making the most of incident detection and response

This week, bloggers look into incident detection strategies, a new anomaly detection tool from ExtraHop and how Ethernet VPN ...

• ### Latest Juniper switches up throughput for cloud applications

The latest Juniper switches target companies that want a network infrastructure with the throughput and management software to ...

## SearchCIO

• ### CISOs, give your cybersecurity program a sense of purpose

'Vanquish the enemy you can see … then prepare for the next engagement.' Brooks Brothers' Phillip Miller gives fellow CISOs new ...

• ### Who's talking? Conversational agent vs. chatbot vs. virtual assistant

Think a conversational agent, chatbot and virtual assistant are the same? Think again. IBM Watson VP and CTO Rob High explains ...

• ### Neurala claims 'lifelong deep neural nets' don't forget

Boston startup Neurala says it has developed deep neural networks that can learn on the fly. Neurala's COO Heather Ames explains.

## SearchEnterpriseDesktop

• ### VMware Workspace One helps Western Digital organize 3,000 apps

The application portal in VMware Workspace One allowed IT to streamline app delivery, and the product's cloud-based model proved ...

• ### Three PC lifecycle management options IT should consider

IT pros can use PCs and laptops until they stop working, or they can set up a lifecycle management plan that retires them after a...

• ### Microsoft Office 2019 release will force IT to migrate to Windows 10

If you're not yet on Windows 10, news about the upcoming Microsoft Office 2019 release may force your hand. Plus, the company ...

## SearchCloudComputing

• ### VMware acquisition continues move toward cloud security

VMware cloud security tools will get a boost from the company's acquisition of CloudCoreo, a security and management startup ...

• ### Application release automation drifts to the cloud

CI/CD initiatives will spark increased adoption of app release automation tools this year, including those hosted in the cloud, ...

• ### User self-service challenges mount in multi-cloud computing

Self-service provisioning presents challenges with a single cloud provider, and a multi-cloud strategy only magnifies those ...

## ComputerWeekly.com

• ### Put the customer first and reap the reward

How businesses can develop a granular understanding of their customers’ needs in a hyper-connected world

• ### ANZ IT Priorities 2018

Every year, Computer Weekly conducts a global survey of our readers to find out their IT spending priorities for the year ahead, ...

• ### Tech industry signs cyber security charter

Nine technology organisations have signed a cyber security charter aimed at raising the level of cyber security internationally

Close