In the last weeks I got involved a lot of times with HTTPS and SSL/TLS, most of the time because of website certificates or trusted connections.
That got me interested in the name popping up over and over again: The Diffie-Hellman key exchange.
I started reading about it and got really intrigued: Establishing a secure connection over an insecure channel - What? How is that even possible? Everybody can see everything that's exchanged, and you still can set up a secure connection? That seems totally counter-intuitive.
There's a really good StackOverflow answer here, I recommend you go and read it. To cite:
You're not sharing information during the key exchange, you're creating a key together.
How it works
- Alice comes up with two prime numbers
p. Alice then picks a secret number (
a) and computes
g^a mod p.
- Alice sends the result to Bob. We'll call this
Asince it was calculated from
a. (The primes
pare also sent to Bob.)
- Bob does the same thing - he chooses his secret number
band computes the number
B, which is
g^b mod p.
- Bob sends Alice the result (called
- Now, Alice takes the number Bob sent her and does the exact same operation with it, and this is where the magic happens -
B^a mod pcreates
K, the key which they will use from now on for communicating securely. Bob does the same operation with
Awhich he got from Alice:
A^b mod p, which will also return
The whole thing works because there is no efficient way to solve the discrete logarithm problem, but the parameters have to be chosen carfully (there are RFCs containing safe primes suitable for Diffie-Hellman).
Grab a friend (or open a second browser tab) and try it yourself!
Obviously, this is for demonstration only, as the numbers are far, far too small. Also, never use something you find on a random blog post for cryptographic purposes.
Full code is also on Github.
- Diffie-Hellman Key Exchange, especially paragraph "Choosing safe primes"
- On Generators of Diffie-Hellman-Groups
- Good explanation of DH on Stackexchange
Thanks for reading!