Invented by Whitfield Diffie and Martin Hellman in 1970, Diffie Hellman was the first published public key cryptography standard. The goal of DH is to allow two parties to derive a common, yet secret session key by transmitting only public information over an insecure medium.
The DH standard works based on a set of prime numbers and a “generator.” When two peers, such as gateway “A” and gateway “B” which to communicate, they first exchange a few public numbers, let's say:
- A prime number, 109, which shall be referred to as “P.”
- A base number, 7, which shall be referred to as “g.”
Side A then proceeds to generate a public/private key pair of its own. For our example:
- A's randomly generated private key shall be 11, and will known as “x.”
- A's public key will be (gx mod P), or 35.
Side B then generates a public/private key pair as well. For our scenario:
- B's randomly generated private key shall be 13, and will be known as “y.”
- B's public key will be (gy mod P), or 80.
Now that unique key pairs have been generated by both side A and side B, each side will exchange public keys. In other words, side A gets side B's public key, and side B gets side A's public key.
With public keys exchanged, we're now able to (finally!) generate a secret, yet common session key between the two parties with just a little algebra. This is done by each side taking the “remote” public key and raising it to the power of the local private key. That product, mod P, becomes the session key. For example:
Side A:
Take B's public key, 80, raised to x, mod P. This is [(8011) mod 109)], or 9.
Side A's secret session key is the number 9. Side B should be able to derive the same number, but using different numbers.
Side B:
Take A's public key, 35, raised to y, mod P. This is [(3513) mod 109)], or 9.
As we can see, both side A and side B have arrived at the same secret key number, 9, without ever having to exchange this number in the clear.
Of course, these are very small prime numbers and would be trivial to factor, making them susceptible to brute force attacks. To harden the algorithm, Diffie Hellman uses very large prime numbers, categorized by group:
- Diffie Hellman Group 1: 768 bit prime number
- Diffie Hellman Group 2: 1024 bit prime number
- Diffie Hellman Group 5: 1536 bit prime number
As the prime number group size increases, so does the calculation time required to factor out the operations While this may increase security, it also increases computational overhead.
|
|
Last Updated on Saturday, 21 November 2009 09:31 |
Feed Entries 
Tech Encyclopedia 
