Diffie-Hellman key exchange is a cryptographic protocol which allows two parties to agree on a secret key over an insecure communication channel. Once the shared secret key has been established, they can use it to encrypt their secret communication using the conventional methods of cryptography. (The terms key agreement and key negotiation are also used. Arguably, these terms are more accurate as no keys are actually exchanged.)

The algorithm was first published by Whitfield Diffie and Martin Hellman in 1976, although it later emerged that it had been discovered a few years earlier within GCHQ, the British cryptography agency, by Malcolm Willamson but was kept as a military secret. In 2002, Hellman suggested the algorithm be called Diffie-Hellman-Merkle key exchange in recognition of Ralph Merkle's contribution to the invention of public-key cryptography (Hellman, 2002).

Diffie-Hellman key agreement is used, in conjunction with several alternative authentication methods, in the IKE component of the IPSec protocol suite, for securing Internet Protocol communications.

Contents

1 History of the protocol 2 Description 3 Security 4 References 5 External links

History of the protocol

Diffie-Hellman key agreement was invented in 1976 during a collaboration between Whitfield Diffie and Martin Hellman and was the first practical method for establishing a shared secret over an unprotected communications channel. Ralph Merkle's work on public key distribution was an influence. John Gill suggested application of the discrete logarithm problem. It had been discovered by Malcolm Williamson of GCHQ in the UK some years previously, but GCHQ chose not make it public until 1997, by which time it had no influence on research in academia.

The method was followed shortly afterwards by RSA, another implementation of public key cryptography using asymmetric algorithms.

In 2002, Martin Hellman wrote:

"The system...has since become known as Diffie-Hellman key exchange. While that system was first described in a paper by Diffie and me, it is a public key distribution system, a concept developed by Merkle, and hence should be called 'Diffie-Hellman-Merkle key exchange' if names are to be associated with it. I hope this small pulpit might help in that endeavor to recognize Merkle's equal contribution to the invention of public key cryptography." [1]

U.S. Patent #4,200,770 [2], now expired, covers the algorithm and credits Hellman, Diffie, and Merkle as inventors.

Description

The protocol is as follows:

1. Alice and Bob agree on a finite cyclic group G and a generating element g in G. (This is usually done long before the rest of the protocol; g is assumed to be known by all attackers.) We will write the group G multiplicatively.
2. Alice picks a random natural number a and sends g^a to Bob.
3. Bob picks a random natural number b and sends g^b to Alice.
4. Alice computes (g^b)^a.
5. Bob computes (g^a)^b.

Both Alice and Bob are now in possession of the group element g^ab which can serve as the shared secret key. The values of (g^b)^a and (g^a)^b are the same because groups are power associative. (See also exponentiation.)

The most commonly used group G is the multiplicative group of integers modulo p , where p is prime. (Every integer x where 1 <= x <= p - 1 is a member of the group because p is prime.) The protocol works with other groups as well.

Security

The protocol is considered secure against eavesdroppers if G and g are chosen properly. The eavesdropper ("Eve") must solve the Diffie-Hellman problem to obtain g^ab. This is currently considered difficult. An efficient algorithm to solve the discrete logarithm problem would make it easy to compute a or b and solve the Diffie-Hellman problem, making this protocol insecure.

The order of G should be prime or have a large prime factor to prevent use of the Pohlig-Hellman algorithm to obtain a or b.

If Alice and Bob use random number generators whose outputs are not completely random but can be predicted to some extent, then Eve's task is much easier.

The protocol is vulnerable to the man in the middle attack in which the attacker is able to read and modify all messages between Alice and Bob. Workarounds exist, such as digitally signing each message, which is possible if Alice and Bob have a public key infrastructure.

References

• Non-Secret Encryption Using a Finite Field MJ Williamson, January 21, 1974.
• Thoughts on Cheaper Non-Secret Encryption MJ Williamson, August 10, 1976.
• New Directions in Cryptography W. Diffie and M. E. Hellman, IEEE Transactions on Information Theory, vol. IT-22, Nov. 1976, pp: 644-654.
• Cryptographic apparatus and method Martin E. Hellman, Bailey W. Diffie, and Ralph C. Merkle, U.S. Patent #4,200,770, 29 April 1980
• The History of Non-Secret Encryption JH Ellis 1987 (28K PDF file) (HTML version)
• The First Ten Years of Public-Key Cryptography Whitfield Diffie, Proceedings of the IEEE, vol. 76, no. 5, May 1988, pp: 560-577 (1.9MB PDF file)
• Menezes, Alfred ; van Oorschot, Paul ; Vanstone, Scott (1997). Handbook of Applied Cryptography Boca Raton, Florida: CRC Press. ISBN 0-8493-8523-7.
• Singh, Simon (1999) The Code Book: the evolution of secrecy from Mary Queen of Scots to quantum cryptography New York: Doubleday ISBN 0-385-49531-5
• An Overview of Public Key Cryptography Martin E. Hellman, IEEE Communications Magazine, May 2002, pp:42-49. (123kB PDF file)

External links

• RFC 2631, Diffie-Hellman Key Agreement Method E. Rescorla June 1999. Full text of RFC 2631
• Summary of ANSI X9.42: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography (64K PDF file) (Description of ANSI 9 Standards)