The Diffie-Hellman key exchange is an exchange of a key between two parties where the key ends up being passed in secret. There is no information passed as the main goal is to create an encryption key between the two parties. The key is important because once that is established, information can then be sent along using the encryption algorithm that both parties have already agreed upon.
Once the key has been exchanged, it is decrypted by a special key on each user’s computer. This means that an outside listener will not be able to decrypt the message. They would need both of the keys that were created by the users. This means that even someone who comes back at a later date and looks at the traffic cannot determine the message that was sent. This is because of the way the math works.
There are two prime numbers that are decided upon between both parties. These prime numbers are then calculated using modular arithmetic. The secret is then added to the prime numbers and then calculated and send to the second party. The second party is able to decrypt the first message using their secret key because they will get the same answer that the first party received using the same key encryption modular.
The following is a simple example with the explanation of how the math will work when calculating the encryption between both parties. The first step that is completed between the parties is that two prime numbers are shared. For the example, we will use the prime numbers 13 and 17. These two numbers are shared between both parties. The first party then picks a secret number. For this example, the first user will use 3. The user will then calculate the following — 133 mod 17. This gives an answer of 4. The first party will then go ahead and send the number 4 to the second party. The second user then picks their number and completes the same algorithm with it. For this example, they will use the number 8. So they will calculate the following — 138 mod 17. The answer is then 1. This number is passed back to the first user.
So now each user will perform the calculation to get the key for the message. The first user takes the number that was sent to them and calculates the same formula with their secret key of 3 as the exponent — 13 mod 17. When this is calculated the answer is 1. This is the key that the first user will use to decrypt the message between both parties. The second user will then use their secret key of 8 along with the number 4 that the first user sent to them — 48 mod 17. This also gives them an answer of 1. So the key to this working is that both users will end up with the same answer no matter what secret has been passed.
In actual application, the numbers used will be much more complex resulting in a complex password. These passwords can be used to create an actual encryption key using a well known encryption algorithm such as AES. The actual message can be encrypted on the local disk of one user and sent to the second user. The Diffie-Hellman key exchange does not actually do the encryption. It just provides both users with the same password to open the encrypted file. Doing this, the actual password has not been sent over the network. Anyone who analyzes the transmission will need to have both prime numbers and the secret keys to decrypt the message. The real security lies in that neither secret key is ever transmitted over the network. The following is what is passed along.
- User one sends two prime numbers to user two.
- User one selects a secret and completes the calculation and sends the answer to user two.
- User two selects their secret and completes the calculation and sends their answer to user one.
Following this transmission, the network will be able to see both prime numbers and both answers to the algorithm. Neither key is ever sent which means that no one listening or going back through the transmission will ever be able to decipher the password that is being created. That is the goal of the Diffie-Hellman key exchange.