Diffie–Hellman key exchange

Diffie–Hellman key exchange or DH is a mathematical method of securely exchanging cryptographic keys over a public channel.
Used to generate a random symmetric secret key between any 2 hosts that wish to communicate securely.

Due to a new secret key used every session, this algorithm introduces forward secracy in the system which pure RSA does not. But standard DH does not provide user verification, so there’s no way to verify whether client/server had actually sent the message. Thus, it is highly susceptible to MITM attacks. Today standard DH is never used.

In TLS Cypher Suites, a version of DH called ECDHE is used for key sharing, and ECDSA or RSA is used for user authentication.

Types of keys

Ephemeral:

static:

  • long term shared secret
  • implicit authenticity (as it is guranteed that only the secret holder can encrypt the message)
  • no forward secrecy

ephemeral, static” or “semi-static”:

  • no forward secrecy
  • one-sided authenticity

Finite Field Diffie-Hellman

A great animated video on the working on DH algorithm.
This is the working of the standard Diffie-Hellman algorithm, later formalized as Finite Field Diffie-Hellman algorithm

Finite Field DH has roughly the same key strength as RSA for the same key sizes.
So 2048-bit FFDH has same security as 2048-bit RSA

To try hands-on with numbers, refer to python’s cryptography library documentation.

ECDH(E)

In this, Elliptical Curve Cryptography is used to perform the DH key exchange.
This is more secure than Finite Field DH, and most widely in TLS
Please refer to the ECDH