Diffie–Hellman key exchange

Diffie–Hellman (DH) key exchange^{[nb 1]} is a mathematical method of securely exchanging cryptographic keys over a public channel and was one of the first public-key protocols as conceived by Ralph Merkle and named after Whitfield Diffie and Martin Hellman.^[1]^[2] DH is one of the earliest practical examples of public key exchange implemented within the field of cryptography. Published in 1976 by Diffie and Hellman, this is the earliest publicly known work that proposed the idea of a private key and a corresponding public key.

Traditionally, secure encrypted communication between two parties required that they first exchange keys by some secure physical means, such as paper key lists transported by a trusted courier. The Diffie–Hellman key exchange method allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure channel. This key can then be used to encrypt subsequent communications using a symmetric-key cipher.

Diffie–Hellman is used to secure a variety of Internet services. However, research published in October 2015 suggests that the parameters in use for many DH Internet applications at that time are not strong enough to prevent compromise by very well-funded attackers, such as the security services of some countries.^[3]

The scheme was published by Whitfield Diffie and Martin Hellman in 1976,^[2] but in 1997 it was revealed that James H. Ellis,^[4] Clifford Cocks, and Malcolm J. Williamson of GCHQ, the British signals intelligence agency, had previously shown in 1969^[5] how public-key cryptography could be achieved.^[6]

Although Diffie–Hellman key agreement itself is a non-authenticated key-agreement protocol, it provides the basis for a variety of authenticated protocols, and is used to provide forward secrecy in Transport Layer Security's ephemeral modes (referred to as EDH or DHE depending on the cipher suite).

The method was followed shortly afterwards by RSA, an implementation of public-key cryptography using asymmetric algorithms.

Expired US patent 4,200,770^[7] from 1977 describes the now public-domain algorithm. It credits Hellman, Diffie, and Merkle as inventors.

g, public (primitive root) base, known to Alice, Bob, and Eve. g = 5

p, public (prime) modulus, known to Alice, Bob, and Eve. p = 23

a, Alice's private key, known only to Alice. a = 6

b, Bob's private key known only to Bob. b = 15

A, Alice's public key, known to Alice, Bob, and Eve. A = g^a mod p = 8

B, Bob's public key, known to Alice, Bob, and Eve. B = g^b mod p = 19

Starting with an "empty" key consisting only of g, the secret is made by raising the current value to every participant's private exponent once, in any order (the first such exponentiation yields the participant's own public key).

Any intermediate value (having up to N−1 exponents applied, where N is the number of participants in the group) may be revealed publicly, but the final value (having had all N exponents applied) constitutes the shared secret and hence must never be revealed publicly. Thus, each user must obtain their copy of the secret by applying their own private key last (otherwise there would be no way for the last contributor to communicate the final key to its recipient, as that last contributor would have turned the key into the very secret the group wished to protect).

Diffie–Hellman key agreement is not limited to negotiating a key shared by only two participants. Any number of users can take part in an agreement by performing iterations of the agreement protocol and exchanging intermediate data (which does not itself need to be kept secret). For example, Alice, Bob, and Carol could participate in a Diffie–Hellman agreement as follows, with all operations taken to be modulo p:

An eavesdropper has been able to see $g a mod p$ , $g b mod p$ , $g c mod p$ , $g ab mod p$ , $g ac mod p$ , and $g bc mod p$ , but cannot use any combination of these to efficiently reproduce $g abc mod p$ .

To extend this mechanism to larger groups, two basic principles must be followed:

These principles leave open various options for choosing in which order participants contribute to keys. The simplest and most obvious solution is to arrange the N participants in a circle and have N keys rotate around the circle, until eventually every key has been contributed to by all N participants (ending with its owner) and each participant has contributed to N keys (ending with their own). However, this requires that every participant perform N modular exponentiations.

By choosing a more desirable order, and relying on the fact that keys can be duplicated, it is possible to reduce the number of modular exponentiations performed by each participant to $log 2 (N) + 1$ using a divide-and-conquer-style approach, given here for eight participants:

Once this operation has been completed all participants will possess the secret $g abcdefgh$ , but each participant will have performed only four modular exponentiations, rather than the eight implied by a simple circular arrangement.

Other uses[edit]

Encryption[edit]

Public key encryption schemes based on the Diffie–Hellman key exchange have been proposed. The first such scheme is the ElGamal encryption. A more modern variant is the Integrated Encryption Scheme.

Forward secrecy[edit]

Protocols that achieve forward secrecy generate new key pairs for each session and discard them at the end of the session. The Diffie–Hellman key exchange is a frequent choice for such protocols, because of its fast key generation.

Password-authenticated key agreement[edit]

When Alice and Bob share a password, they may use a password-authenticated key agreement (PK) form of Diffie–Hellman to prevent man-in-the-middle attacks. One simple scheme is to compare the hash of s concatenated with the password calculated independently on both ends of channel. A feature of these schemes is that an attacker can only test one specific password on each iteration with the other party, and so the system provides good security with relatively weak passwords. This approach is described in ITU-T Recommendation X.1035, which is used by the G.hn home networking standard.

An example of such a protocol is the Secure Remote Password protocol.

Public key[edit]

It is also possible to use Diffie–Hellman as part of a public key infrastructure, allowing Bob to encrypt a message so that only Alice will be able to decrypt it, with no prior communication between them other than Bob having trusted knowledge of Alice's public key. Alice's public key is $(g^{a}{\bmod {p}},g,p)$ . To send her a message, Bob chooses a random b and then sends Alice $g^{b}{\bmod {p}}$ (unencrypted) together with the message encrypted with symmetric key $(g^{a})^{b}{\bmod {p}}$ . Only Alice can determine the symmetric key and hence decrypt the message because only she has a (the private key). A pre-shared public key also prevents man-in-the-middle attacks.

In practice, Diffie–Hellman is not used in this way, with RSA being the dominant public key algorithm. This is largely for historical and commercial reasons, namely that RSA Security created a certificate authority for key signing that became Verisign. Diffie–Hellman, as elaborated above, cannot directly be used to sign certificates. However, the ElGamal and DSA signature algorithms are mathematically related to it, as well as MQV, STS and the IKE component of the IPsec protocol suite for securing Internet Protocol communications.

key exchange

Elliptic-curve Diffie–Hellman

Supersingular isogeny key exchange

Forward secrecy

Diffie–Hellman problem

Modular exponentiation

Denial-of-service attack

Post-Quantum Extended Diffie-Hellman

Gollman, Dieter (2011). Computer Security (2nd ed.). West Sussex, England: John Wiley & Sons, Ltd. 978-0470741153.

ISBN

Williamson, Malcolm J. (January 21, 1974). (PDF) (Technical report). Communications Electronics Security Group. Archived (PDF) from the original on 2017-03-23. Retrieved 2017-03-22.

Non-secret encryption using a finite field

Williamson, Malcolm J. (August 10, 1976). (PDF) (Technical report). Communications Electronics Security Group. Archived (PDF) from the original on 2004-07-19. Retrieved 2015-08-25.

Thoughts on Cheaper Non-Secret Encryption

JH Ellis 1987 (28K PDF file) (HTML version)

The History of Non-Secret Encryption

Whitfield Diffie, Proceedings of the IEEE, vol. 76, no. 5, May 1988, pp: 560–577 (1.9MB PDF file)

The First Ten Years of Public-Key Cryptography

; van Oorschot, Paul; Vanstone, Scott (1997). Handbook of Applied Cryptography Boca Raton, Florida: CRC Press. ISBN 0-8493-8523-7. (Available online)

Menezes, Alfred

(1999) The Code Book: the evolution of secrecy from Mary Queen of Scots to quantum cryptography New York: Doubleday ISBN 0-385-49531-5

Singh, Simon

Martin E. Hellman, IEEE Communications Magazine, May 2002, pp. 42–49. (123kB PDF file)

An Overview of Public Key Cryptography

Charles Babbage Institute, University of Minnesota. Leading cryptography scholar Martin Hellman discusses the circumstances and fundamental insights of his invention of public key cryptography with collaborators Whitfield Diffie and Ralph Merkle at Stanford University in the mid-1970s.

Oral history interview with Martin Hellman

RFC – Diffie–Hellman Key Agreement Method. E. Rescorla. June 1999.

2631

RFC – More Modular Exponential (MODP) Diffie–Hellman groups for Internet Key Exchange (IKE). T. Kivinen, M. Kojo, SSH Communications Security. May 2003.

3526

(64K PDF file) (Description of ANSI 9 Standards)

Summary of ANSI X9.42: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography

Talk by Martin Hellman in 2007, YouTube video

Crypto dream team Diffie & Hellman wins $1M 2015 Turing Award (a.k.a. "Nobel Prize of Computing")

– This demo properly supports very-large key data and enforces the use of prime numbers where required.