Diffie-Hellman key exchange

If you've had any experience choosing a cryptographic algorithm, you've probably faced a common dilemma at one time or another: should you use an asymmetric (public key) or symmetric (private key) algorithm?

From a key exchange point-of-view, public key algorithms are much simpler to administer. Users may freely share their public keys over insecure transmission channels without fear of compromising the cryptosystem. In order for pure private key systems to remain truly secure, offline key exchange techniques (such as a floppy diskette) must be used. On the other hand, symmetric algorithms generally operate much faster than their asymmetric counterparts.

Diffie-Hellman key exchange offers the best of both worlds -- it uses public key techniques to allow the exchange of a private encryption key! Let's take a look at how the protocol works, from the perspective of Alice and Bob, two users who wish to establish secure communications. We can assume that Alice and Bob k...

BROWSE BY TAG Security Basics,   Network Security Tactics,   Enterprise Data Protection,   Disk Encryption and File Encryption,   VIEW ALL TAGS

RELATED CONTENT Security Basics Countdown begins for Mydoom DDoS attacks Hackers scanning for ports opened by Mydoom National cybersecurity alert system launched Dangerous, familiar application vulnerabilities top list Potent Mydoom worm flooding inboxes Norton woes blamed on bad VeriSign certificates Microsoft: Word password not a security tool Face-off: Hiring a hacker November 2003: The best of SearchSecurity.com Alert: New RPC vulnerabilities Network Security Tactics What to do with network penetration test results How to use TrueCrypt for disk encryption Protecting enterprise networks from new mobile application downloads Maintaining security after a cloud computing implementation Preparing the network for a cloud computing implementation PuTTY configuration tips: How to connect to remote network systems A guide to internal and external network security auditing How to keep networks secure when deploying an 802.11n upgrade Screencast: Find rogue wireless access points with Vistumbler How to provide access to Web content (while ensuring network security) Disk Encryption and File Encryption No major PCI DSS revision expected in 2010 How to use TrueCrypt for disk encryption The future of PCI DSS encryption requirements? Tokenization for PCI What are the top three network intrusion techniques? Health Net healthcare data breach affects1.5 million Prevent meet-in-the-middle attacks with TDES encryption Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Should developers create libraries of common cryptographic algorithms? What is an encryption collision?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Advanced Encryption Standard  (SearchSecurity.com) data key  (SearchSecurity.com) Encrypting File System  (SearchSecurity.com) encryption  (SearchSecurity.com) Escrowed Encryption Standard  (SearchSecurity.com) network encryption  (SearchSecurity.com) output feedback  (SearchSecurity.com) Quiz: Cryptography  (SearchSecurity.com) Rijndael  (SearchSecurity.com) Twofish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

now nothing about each other but are in contact. Here are the nine steps of the process:

1. Communicating in the clear, Alice and Bob agree on two large positive integers, n and g, with the stipulation that n is a prime number and g is a generator of n.

2. Alice randomly chooses another large positive integer, X_A, which is smaller than n. X_A will serve as Alice's private key.

3. Bob similarly chooses his own private key, X_B.

4. Alice computes her public key, Y_A, using the formula Y_A = (g^X_A) mod n.

5. Bob similarly computes his public key, Y_B, using the formula Y_B = (g^X_B) mod n.

6. Alice and Bob exchange public keys over the insecure circuit.

7. Alice computes the shared secret key, k, using the formula k = (Y_B ^X_A) mod n.

8. Bob computes the same shared secret key, k, using the formula k = (Y_A ^X_B) mod n.

9. Alice and Bob communicate using the symmetric algorithm of their choice and the shared secret key, k, which was never transmitted over the insecure circuit.

Pretty nifty, eh? Diffie-Hellman key exchange is actually nothing new. It's been around since Whitfield Diffie and Martin Hellman published it in their 1976 paper, "New Directions in Cryptography." However, the recent surge of interest in cryptography and secure communications have increased awareness of the protocol. In fact, you've probably unknowingly used the Diffie-Hellman protocol on a daily basis. It's used by popular protocols like SSL and SSH.

About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the About.com Guide to Databases.