Diffie Hellman key exchange

Diffie and Hellman describe a means for two parties to agree upon a shared secret in such a way that the secret will be unavailable to eavesdroppers.

Synonyms of Diffie-Hellman key exchange include:
Diffie-Hellman key agreement
Diffie-Hellman key establishment
Diffie-Hellman key negotiation
exponential key exchange

Diffie-Hellman key agreement requires that both the sender and recipient of a message have key pairs. By combining one's private key and the other party's public key, both parties can compute the same shared secret number. This number can then be converted into cryptographic keying material. That keying material is typically used as a key encryption key (KEK) to encrypt (wrap) a content- encryption key (CEK) which is in turn used to encrypt the message data.

History of the protocol
Diffie-Hellman key agreement was invented in 1976 during a collaboration between Whitfield Diffie and Martin Hellman and was the first practical method for establishing a shared secret over an unprotected communications channel. Ralph Merkle's work on public key distribution was an influence. John Gill suggested application of the discrete logarithm problem. It had been discovered by Malcolm Williamson of GCHQ in the UK some years previously, but GCHQ chose not make it public until 1997, by which time it had no influence on research in academia.

The method was followed shortly afterwards by RSA, another implementation of public key cryptography using asymmetric algorithms.

Security Considerations
All the security in this system is provided by the secrecy of the private keying material. If either sender or recipient private keys are disclosed, all messages sent or received using that key are compromised. Similarly, loss of the private key results in an inability to read messages sent using that key.

Static Diffie-Hellman keys are vulnerable to a small subgroup attack. In practice, this issue arises for both sides in Static- Static mode and for the receiver during Ephemeral-Static mode.

The security level provided by these methods depends on several factors. It depends on the length of the symmetric key (typically, a 2^l security level if the length is l bits); the size of the prime q (a 2^{m/2} security level); and the size of the prime p (where the security level grows as a subexponential function of the size in bits). A good design principle is to have a balanced system, where all three security levels are approximately the same. If many keys are derived from a given pair of primes p and q, it may be prudent to have higher levels for the primes. In any case, the overall security is limited by the lowest of the three levels.

Vulnerability
The Diffie-Hellman key exchange is vulnerable to a man-in-the-middle attack. In this attack, an opponent Carol intercepts Alice's public value and sends her own public value to Bob. When Bob transmits his public value, Carol substitutes it with her own and sends it to Alice. Carol and Alice thus agree on one shared key and Carol and Bob agree on another shared key. After this exchange, Carol simply decrypts any messages sent out by Alice or Bob, and then reads and possibly modifies them before re-encrypting with the appropriate key and transmitting them to the other party. This vulnerability is present because Diffie-Hellman key exchange does not authenticate the participants. Possible solutions include the use of digital signatures and other protocol variants.

<< Previous Answer

Next Answer >>