- Diffie-Hellman key exchange
Diffie-Hellman key exchange (D-H) is a
cryptographic protocolthat allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel. This key can then be used to encrypt subsequent communications using a symmetric key cipher.
Synonyms of Diffie-Hellman key exchange include:
*Diffie-Hellman key agreement
*Diffie-Hellman key establishment
*Diffie-Hellman key negotiation
*Exponential key exchange
The scheme was first published publicly by
Whitfield Diffieand Martin Hellmanin 1976, although it later emerged that it had been separately invented a few years earlier within GCHQ, the British signals intelligence agency, by Malcolm J. Williamsonbut was kept classified. In 2002, Hellman suggested the algorithm be called Diffie-Hellman-Merkle key exchange in recognition of Ralph Merkle's contribution to the invention of public-key cryptography(Hellman, 2002).
Although Diffie-Hellman key agreement itself is an "anonymous" (non-"authenticated")
key-agreement protocol, it provides the basis for a variety of authenticated protocols, and is used to provide perfect forward secrecyin Transport Layer Security's ephemeral modes.
History of the protocol
Diffie-Hellman key agreement was invented in 1976 during a collaboration between Whitfield Diffie and Martin Hellman and was the first practical method for establishing a
shared secretover an unprotected communications channel. Ralph Merkle's work on public key distribution was an influence. John Gill suggested application of the discrete logarithmproblem. It had been discovered by Malcolm Williamson of GCHQin the UK some years previously, but GCHQ chose not to make it public until 1997, by which time it had no influence on research in academia.
The method was followed shortly afterwards by
RSA, another implementation of public key cryptography using asymmetric algorithms.
In 2002, Martin Hellman wrote:
The system...has since become known as Diffie-Hellman key exchange. While that system was first described in a paper by Diffie and me, it is a public key distribution system, a concept developed by Merkle, and hence should be called 'Diffie-Hellman-Merkle key exchange' if names are to be associated with it. I hope this small pulpit might help in that endeavor to recognize Merkle's equal contribution to the invention of public key cryptography. [http://www.comsoc.org/livepubs/ci1/public/anniv/pdfs/hellman.pdf]
US patent|4,200,770, now expired, describes the algorithm and credits Hellman, Diffie, and Merkle as inventors.
The simplest, and original, implementation of the protocol uses the Multiplicative group of integers modulo "p", where "p" is prime and "g" is primitive root mod "p". Here is an example of the protocol:|
Note: It should be difficult for Alice to solve for Bob's private key or for Bob to solve for Alice's private key. If it isn't difficult for Alice to solve for Bob's private key (or vice versa), Eve may simply substitute her own private / public key pair, plug Bob's public key into her private key, produce a fake shared secret key, and solve for Bob's private key (and use that to solve for the shared secret key. Eve may attempt to choose a public / private key pair that will make it easy for her to solve for Bob's private key).
The protocol is considered secure against eavesdroppers if "G" and "g" are chosen properly. The eavesdropper ("Eve") must solve the
Diffie-Hellman problemto obtain "g""ab". This is currently considered difficult. An efficient algorithm to solve the discrete logarithm problemwould make it easy to compute "a" or "b" and solve the Diffie-Hellman problem, making this and many other public key cryptosystems insecure.
The order of "G" should be prime or have a large prime factor to prevent use of the
Pohlig-Hellman algorithmto obtain "a" or "b". For this reason, a Sophie Germain prime"q" is sometimes used to calculate "p=2q+1", called a safe prime, since the order of "G" is then only divisible by 2 and "q". "g" is then sometimes chosen to generate the order "q" subgroup of "G", rather than "G", so that the Legendre symbolof "ga" never reveals the low order bit of "a".
If Alice and Bob use
random number generators whose outputs are not completely random and can be predicted to some extent, then Eve's task is much easier.
The secret integers "a" and "b" are discarded at the end of the session.Therefore, Diffie-Hellman key exchange by itself trivially achieves
perfect forward secrecybecause no long-term private keying material exists to be disclosed.
In the original description, the Diffie-Hellman exchange by itself does not provide
authenticationof the communicating parties and is thus vulnerable to a man-in-the-middle attack. A person in the middle may establish two distinct Diffie-Hellman key exchanges, one with Alice and the other with Bob, effectively masquerading as Alice to Bob, and vice versa, allowing the attacker to decrypt (and read or store) then re-encrypt the messages passed between them. A method to authenticate the communicating parties to each other is generally needed to prevent this type of attack.
A variety of cryptographic authentication solutions incorporate a Diffie-Hellman exchange. When Alice and Bob have a
public key infrastructure, they may digitally sign the agreed key, or "g""a" and "g""b", as in MQV, STS and the IKE component of the IPsecprotocol suite for securing Internet Protocolcommunications. When Alice and Bob share a password, they may use a password-authenticated key agreementform of Diffie-Hellman.
* [http://www.mirrors.wiretapped.net/security/info/reference/cesg-publications/History/secenc.pdf Non-Secret Encryption Using a Finite Field] MJ Williamson,
January 21, 1974.
* [http://www.fi.muni.cz/usr/matyas/lecture/paper3.pdf Thoughts on Cheaper Non-Secret Encryption] MJ Williamson,
August 10, 1976.
* [http://citeseer.ist.psu.edu/340126.html New Directions in Cryptography] W. Diffie and M. E. Hellman, IEEE Transactions on Information Theory, vol. IT-22, Nov. 1976, pp: 644-654.
* Martin E. Hellman, Bailey W. Diffie, and Ralph C. Merkle, U.S. Patent #4,200,770,
29 April 1980
* [http://www.cesg.gov.uk/site/publications/media/ellis.pdf The History of Non-Secret Encryption] JH Ellis 1987 (28K PDF file) ( [http://www.jya.com/ellisdoc.htm HTML version] )
* [http://cr.yp.to/bib/1988/diffie.pdf The First Ten Years of Public-Key Cryptography] Whitfield Diffie, Proceedings of the IEEE, vol. 76, no. 5, May 1988, pp: 560-577 (1.9MB PDF file)
* Menezes, Alfred; van Oorschot, Paul; Vanstone, Scott (1997). "
Handbook of Applied Cryptography" Boca Raton, Florida: CRC Press. ISBN 0-8493-8523-7. ( [http://www.cacr.math.uwaterloo.ca/hac/ Available online] )
* Singh, Simon (1999) "
The Code Book: the evolution of secrecy from Mary Queen of Scots to quantum cryptography" New York: Doubleday ISBN 0-385-49531-5
* [http://www.comsoc.org/livepubs/ci1/public/anniv/pdfs/hellman.pdf An Overview of Public Key Cryptography] Martin E. Hellman, IEEE Communications Magazine, May 2002, pp:42-49. (123kB PDF file)
Elliptic Curve Diffie-Hellman
Password-authenticated key agreement
* RFC 2631 - "Diffie-Hellman Key Agreement Method" E. Rescorla June 1999.
* [http://csrc.nist.gov/encryption/kms/summary-x9-42.pdf "Summary of ANSI X9.42: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography"] (64K PDF file) ( [http://www.rsasecurity.com/rsalabs/node.asp?id=2306 Description of ANSI 9 Standards] )
* [http://www.xml-dev.com/blog/index.php?action=viewtopic&id=196 Diffie-Hellman explained visually]
* [http://www.netip.com/articles/keith/diffie-helman.htm Diffie-Hellman Key Exchange – A Non-Mathematician’s Explanation] by Keith Palmgren
* [http://search.cpan.org/search?query=Crypt%3A%3ADH&mode=module Crypt::DH]
Perlmodule from CPAN
* [http://ds9a.nl/tmp/dh.html Hands-on Diffie-Hellman demonstration]
* [http://oldpiewiki.yoonkn.com/cgi-bin/moin.cgi/DiffieHellmanKeyExchange C implementation using GNU Multiple Precision Arithmetic Library]
Wikimedia Foundation. 2010.