Introduction
Hello Reader!!
We already know the importance of a safe and robust key exchange technique in cryptography. We will learn about one such technique called DiffieHellman Key Agreement.
The DiffieHellman key exchange is one of the greatest developments in publickey cryptography and is still widely used in a variety of modern security protocols.
In this article, we'll understand what it's used for, how it works step by step, its multiple versions, and the security concerns that must be considered to implement it properly.
So, letâ€™s get started!
DiffieHellman key exchange
The DiffieHellman key exchange is a mathematical method for reliably exchanging cryptographic keys over a public channel. It was one of the earliest publickey protocols.
Let us understand this protocol in depth.
What is it?
The DiffieHellman key exchange protocol was the first commonly used way of producing and exchanging keys through an insecure channel.
In the above terms, it may not appear fascinating or new, so let us share an example of why the DiffieHellman key exchange was such a crucial milestone in cryptography and why it is still widely used today.
Letâ€™s say you are an undercover agent and need to send some crucial information to the head. In this case, how will you ensure that the message reaches only the head and no thirdparty tempers with it?
There could be many solutions, the most common being encrypting the message with a code. The simplest method could be to arrange the type of code and key beforehand, or it could be done through a secure channel of communication.
Assume that you are not a good agent, and you and your head have agreed upon using a weak cipher, letâ€™s say the shift cipher, to encode your secret message.
In this method, every â€śaâ€ť becomes â€śc,â€ť â€śbâ€ť becomes â€śd,â€ť â€ścâ€ť becomes â€śe,â€ť and so on, till â€śzâ€ť becomes â€śb.â€ť
Using this shift cipher, the message â€śCan you hear meâ€ť becomes â€śecp aqw igct og.â€ť In this scenario, we assume that eve is as incompetent as the agent and will not be able to crack the simple code.
But what if you do not have the code arranged with your head beforehand?
Suppose you wish to communicate with another agent from a different nation you have never met. This means you do not have a secure channel to communicate with them. You must encrypt your message to keep it safe from the adversary.
So, how do you exchange information safely with someone if you haven't exchanged the key beforehand?
The DiffieHellman key exchange was the first publicly available solution to this problem. The approach enables random people to securely establish a shared key, even via an unsecured channel that adversaries may be observing.
Uses
The primary goal of the DiffieHellman key exchange is to securely establish shared secrets from which keys may be obtained. These keys can then be used with symmetrickey algorithms to communicate messages securely. Since symmetric algorithms are more efficient than public key algorithms, they are commonly used to encrypt most data.

In theory, the DiffieHellman key exchange may be used to generate public and private keys. In practice, though, RSA is more often used. This is because the RSA technique can also sign publickey certificates, but the DiffieHellman key exchange cannot.

Because the ElGamal algorithm, prominently used in the PGP, is based on the DiffieHellman key exchange, any protocol that employs it is functionally implementing DiffieHellman.

The DiffieHellman key exchange is widely used in security protocols as one of the most prevalent ways for properly distributing keys. As a result, it is an essential component of our secure communications.
 The DiffieHellman key exchange is commonly used as part of various protocols to help protect our connection to a website, remotely access another computer, and to transmit encrypted emails.
Working
The DiffieHellman Key exchange is a complex protocol, and it may be difficult to understand its working. It requires the use of very large numbers and complex maths.
To understand easily, let us start with an analogy. After getting the bigpicture, we will see the processes' technicalities.
Suppose Alice and Bob want to mix paint.
 They both decide on a random color, to begin with. Assume they exchange messages and agree on yellow as their common color, as shown in the picture below:
2. They decide on their color. They do not inform the other party of their decision. Let's assume Alice goes with red and Bob goes with cyan.
3. The next step is for Alice and Bob to combine their secret colors with the yellow they selected collectively. According to the above image, Alice gets an orangish mix, while Bob gets a darker blue.
4. They share the product with the opposite party after mixing. Alice gets the deeper blue paint, while Bob gets the orange paint.
5. After receiving the mixed result from each other, they add their secret color to it. Alice adds her secret red paint to the deeper blue, while Bob adds his secret cyan to the orange mix he got.
6. To our surprise, both get the same color, i.e., brown color. This is the shared color, referred to as the common secret.
The main factor of the DiffieHellman key exchange is that both sides achieve the same result without ever sending the complete shared secret over the communication channel.
Now, if an attacker is observing this exchange, all he can get is the common yellow color that Alice and Bob started with and the mixtures that they exchanged.
The structure of the DiffieHellman key exchange is responsible for making it so valuable. It enables the two parties to interact via a potentially unsafe connection while establishing a shared secret that may be used to generate encryption keys for future communications.
Technical Details
It operates on the same premise as the above example. Still, instead of mixing and delivering colors, the DiffieHellman system performs computations based on extremely big prime numbers and sends them over.
The prime (p) should be at least 2048 bits long to ensure security. But, for easy understanding, we will be working with much smaller numbers here. We must remember that if such small numbers are used in practice, then the DiffieHellman key exchange would be insecure.
Suppose Alice and Bob start by mutually deciding on two numbers to work with. Let these numbers be modulus (p) and base (q).
In practice, the modulus (p) is a very big prime integer, and the base (g) is kept as small as possible to ease computations. The base (g) is formed from a cyclic group (G), generally formed before the other steps.
 To take our example, let us assume that the modulus (p) is 19 and the base (g) is 6.

After agreeing on these numbers, Alice selects a secret number, m, for herself, while Bob selects his secret number n. Let us suppose they decide:
m=2
n=4 
Alice then does the following calculation to get the number she will send to Bob:
A = g^{m} mod p
Here, the mod is the modulo operation.
A = 6^{2} mod 19
A = 36 mod 19
A = 17 
Doing the same above steps for Bob:
B = g^{n} mod p
B = 6^{4} mod 19
B = 1296 mod 19
B = 4  Alice and Bob send their results to each other.

Alice then uses the following formula to determine the shared secret s:
s = B^{m} mod p
s = 4^{2 }mod 19
s = 16 mod 19
s = 16 
Bob as well does the same:
s = A^{n} mod p
s = 17^{4} mod 19
s = 83,521 mod 19
s = 16
As you can see, both parties got the same answer for s, which was 16. This is the shared secret that only Alice and Bob are aware of. They may then use this to generate a key for symmetric encryption, allowing them to exchange information between themselves securely that only they can access.
Why is it secure?
Mathematically, the DiffieHellman key exchange is secure since it is based on oneway functions. These computations are simple to do in one direction but far more challenging to perform in the opposite direction.
It is based on the DiffieHellman problem, which assumes that under the correct parameters, calculating gmn from the independent values of g, gm, and gn is impossible. Despite the fact that attackers may intercept the values p, g, A, and B, the DiffieHellman key exchange is deemed safe since there is presently no publicly known mechanism to quickly obtain gmn from the other values.
Authentication & the DiffieHellman key exchange
In practice, the DiffieHellman key exchange is rarely used on its own. The primary reason for this is that it does not enable authentication, leaving users exposed to maninthemiddle attacks.
These attacks are possible when the DiffieHellman key exchange is used alone because it cannot confirm if the other person in a connection is who they claim to be. Users may interact with attackers while they believe they are communicating with a trusted person if no authentication is used.
As a result, the DiffieHellman key exchange is typically used with some form of authentication. This often involves the use of digital certificates and a publickey algorithm, such as RSA, to validate each party's identity.
Variations
The DiffieHellman key exchange may be implemented in various ways, and it has also served as the foundation for various additional algorithms. Some implementations have authorization, while others include cryptographic features like perfect forward secrecy.
Some of these are listed below:
 ElGamal
 Ellipticcurve DiffieHellman
 TLS
 STS(StationtoStation protocol)
Security issues
The security of the DiffieHellman key exchange is determined by how it is implemented as well as the numbers used. As previously mentioned, it has no way of authenticating the other party on its own. Still, other mechanisms are applied to verify that the other party in a connection is not fake.
Number selection parameters
The numbers should not only be significant but also need to be sufficiently random.
To ensure security, the integer p should be 2048 bits long. The base, g, can be a small integer like 2, but it must come from a G order with a large prime factor.