Diffie–Hellman key exchange (D–H) is a cryptographic protocol that allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel. This key can then be used to encrypt subsequent communications using a symmetric key cipher.
Synonyms of Diffie–Hellman key exchange include:
The scheme was first published by Whitfield Diffie and Martin Hellman in 1976, although it later emerged that it had been separately invented a few years earlier within GCHQ, the British signals intelligence agency, by Malcolm J. Williamson but was kept classified. In 2002, Hellman suggested the algorithm be called Diffie–Hellman–Merkle key exchange in recognition of Ralph Merkle's contribution to the invention of publickey cryptography (Hellman, 2002).
Although Diffie–Hellman key agreement itself is an anonymous (nonauthenticated) keyagreement protocol, it provides the basis for a variety of authenticated protocols, and is used to provide perfect forward secrecy in Transport Layer Security's ephemeral modes (referred to as EDH or DHE depending on the cipher suite).
Contents 
The Diffie–Hellman key agreement was invented in 1976 during a collaboration between Whitfield Diffie and Martin Hellman and was the first practical method for establishing a shared secret over an unprotected communications channel. Ralph Merkle's work on public key distribution was an influence. John Gill suggested application of the discrete logarithm problem. It had first been invented by Malcolm Williamson of GCHQ in the UK some years previously, but GCHQ chose not to make it public until 1997, by which time it had no influence on research in academia.
The method was followed shortly afterwards by RSA, another implementation of public key cryptography using asymmetric algorithms.
In 2002, Martin Hellman wrote:
The system...has since become known as Diffie–Hellman key exchange. While that system was first described in a paper by Diffie and me, it is a public key distribution system, a concept developed by Merkle, and hence should be called 'Diffie–Hellman–Merkle key exchange' if names are to be associated with it. I hope this small pulpit might help in that endeavor to recognize Merkle's equal contribution to the invention of public key cryptography. [1]
U.S. Patent 4,200,770, now expired, describes the algorithm and credits Hellman, Diffie, and Merkle as inventors.
Diffie–Hellman establishes a shared secret that can be used for secret communications by exchanging data over a public network.
Here is an explanation which includes the encryption's mathematics:
The simplest, and original, implementation of the protocol uses the multiplicative group of integers modulo p, where p is prime and g is primitive root mod p. Here is an example of the protocol, with nonsecret values in green, and secret values in boldface red:




Both Alice and Bob have arrived at the same value, because g^{ab} and g^{ba} are equal mod p. Note that only a, b and g^{ab} = g^{ba} mod p are kept secret. All the other values – p, g, g^{a} mod p, and g^{b} mod p – are sent in the clear. Once Alice and Bob compute the shared secret they can use it as an encryption key, known only to them, for sending messages across the same open communications channel. Of course, much larger values of a, b, and p would be needed to make this example secure, since it is easy to try all the possible values of g^{ab} mod 23 (there will be, at most, 22 such values, even if a and b are large). If p were a prime of at least 300 digits, and a and b were at least 100 digits long, then even the best algorithms known today could not find a given only g, p,g^{b} mod p and g^{a} mod p, even using all of mankind's computing power. The problem is known as the discrete logarithm problem. Note that g need not be large at all, and in practice is usually either 2 or 5.
Here's a more general description of the protocol:
Both Alice and Bob are now in possession of the group element g^{ab}, which can serve as the shared secret key. The values of (g^{b})^{a} and (g^{a})^{b} are the same because groups are power associative. (See also exponentiation.)
Here is a chart to help simplify who knows what. (Eve is an eavesdropper—she watches what is sent between Alice and Bob, but she does not alter the contents of their communications.)



Note: It should be difficult for Alice to solve for Bob's private key or for Bob to solve for Alice's private key. If it isn't difficult for Alice to solve for Bob's private key (or vice versa), Eve may simply substitute her own private / public key pair, plug Bob's public key into her private key, produce a fake shared secret key, and solve for Bob's private key (and use that to solve for the shared secret key. Eve may attempt to choose a public / private key pair that will make it easy for her to solve for Bob's private key). A demonstration of DiffieHellman (using numbers too small for practical use) is given here
The protocol is considered secure against eavesdroppers if G and g are chosen properly. The eavesdropper ("Eve") would have to solve the Diffie–Hellman problem to obtain g^{ab}. This is currently considered difficult. An efficient algorithm to solve the discrete logarithm problem would make it easy to compute a or b and solve the Diffie–Hellman problem, making this and many other public key cryptosystems insecure.
The order of G should be prime or have a large prime factor to prevent use of the Pohlig–Hellman algorithm to obtain a or b. For this reason, a Sophie Germain prime q is sometimes used to calculate p=2q+1, called a safe prime, since the order of G is then only divisible by 2 and q. g is then sometimes chosen to generate the order q subgroup of G, rather than G, so that the Legendre symbol of g^{a} never reveals the low order bit of a.
If Alice and Bob use random number generators whose outputs are not completely random and can be predicted to some extent, then Eve's task is much easier.
The secret integers a and b are discarded at the end of the session. Therefore, Diffie–Hellman key exchange by itself trivially achieves perfect forward secrecy because no longterm private keying material exists to be disclosed.
In the original description, the Diffie–Hellman exchange by itself does not provide authentication of the communicating parties and is thus vulnerable to a maninthemiddle attack. A person in the middle may establish two distinct Diffie–Hellman key exchanges, one with Alice and the other with Bob, effectively masquerading as Alice to Bob, and vice versa, allowing the attacker to decrypt (and read or store) then reencrypt the messages passed between them. A method to authenticate the communicating parties to each other is generally needed to prevent this type of attack.
When Alice and Bob share a password, they may use a passwordauthenticated key agreement (PAKE) form of Diffie–Hellman to prevent maninthemiddle attacks. A simple scheme is to simply make the generator g the password. A feature of these schemes is that an attacker can only test one specific password on each iteration with the other party, and so the system provides good security with relatively weak passwords. This approach is described in ITUT Recommendation X.1035, which is used by the G.hn home networking standard.
It is also possible to use Diffie–Hellman as part of a public key infrastructure. Alice's public key is simply (g^{a},g,p). To send her a message Bob choses a random b, and then sends Alice g^{b} together with the message encrypted with symmetric key (g^{a})^{b}. Only Alice can decrypt the message because only she has a. A preshared public key also prevents maninthemiddle attacks.
In practice, Diffie–Hellman is not used in this way, with RSA being the dominant public key algorithm. This is largely for historical and commercial reasons, namely that RSA created a Certificate Authority that became Verisign. Diffie–Hellman cannot be used to sign certificates, although the ElGamal and DSA signature algorithms are related to it. However, it is related to MQV, STS and the IKE component of the IPsec protocol suite for securing Internet Protocol communications.

DiffieHellman key exchange (DH) is a cryptographic protocol that allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel. This key can then be used to encrypt subsequent communications using a symmetric key cipher.
Synonyms of DiffieHellman key exchange include:
The scheme was first published publicly by Whitfield Diffie and Martin Hellman in 1976, although it later emerged that it had been separately invented a few years earlier within GCHQ, the British signals intelligence agency, by Malcolm J. Williamson but was kept classified. In 2002, Hellman suggested the algorithm be called DiffieHellmanMerkle key exchange in recognition of Ralph Merkle's contribution to the invention of publickey cryptography (Hellman, 2002).
Although DiffieHellman key agreement itself is an anonymous (nonauthenticated) keyagreement protocol, it provides the basis for a variety of authenticated protocols, and is used to provide perfect forward secrecy in Transport Layer Security's ephemeral modes.
Contents 
The DiffieHellman key agreement was invented in 1976 during a collaboration between Whitfield Diffie and Martin Hellman and was the first practical method for establishing a shared secret over an unprotected communications channel. Ralph Merkle's work on public key distribution was an influence. John Gill suggested application of the discrete logarithm problem. It had been discovered by Malcolm Williamson of GCHQ in the UK some years previously, but GCHQ chose not to make it public until 1997, by which time it had no influence on research in academia.
The method was followed shortly afterwards by RSA, another implementation of public key cryptography using asymmetric algorithms.
In 2002, Martin Hellman wrote:
The system...has since become known as DiffieHellman key exchange. While that system was first described in a paper by Diffie and me, it is a public key distribution system, a concept developed by Merkle, and hence should be called 'DiffieHellmanMerkle key exchange' if names are to be associated with it. I hope this small pulpit might help in that endeavor to recognize Merkle's equal contribution to the invention of public key cryptography. [1]
U.S. Patent 4,200,770, now expired, describes the algorithm and credits Hellman, Diffie, and Merkle as inventors.
The simplest, and original, implementation of the protocol uses the Multiplicative group of integers modulo p, where p is prime and g is primitive root mod p. Here is an example of the protocol:




Both Alice and Bob have arrived at the same value, because g^{ab} and g^{ba} are equal mod p. Note that only a, b and g^{ab} = g^{ba} mod p are kept secret. All the other values  p, g, g^{a} mod p, and g^{b} mod p  are sent in the clear. Once Alice and Bob compute the shared secret they can use it as an encryption key, known only to them, for sending messages across the same open communications channel. Of course, much larger values of a, b, and p would be needed to make this example secure, since it is easy to try all the possible values of g^{ab} mod 23 (there will be, at most, 22 such values, even if a and b are large). If p were a prime of at least 300 digits, and a and b were at least 100 digits long, then even the best algorithms known today could not find a given only g, p, and g^{a} mod p, even using all of mankind's computing power. The problem is known as the discrete logarithm problem. Note that g need not be large at all, and in practice is usually either 2 or 5.
Here's a more general description of the protocol:
Both Alice and Bob are now in possession of the group element g^{ab}, which can serve as the shared secret key. The values of (g^{b})^{a} and (g^{a})^{b} are the same because groups are power associative. (See also exponentiation.)
Here is a chart to help simplify who knows what. (Eve is an eavesdropper—she watches what is sent between Alice and Bob, but she does not alter the contents of their communications.)



Note: It should be difficult for Alice to solve for Bob's private key or for Bob to solve for Alice's private key. If it isn't difficult for Alice to solve for Bob's private key (or vice versa), Eve may simply substitute her own private / public key pair, plug Bob's public key into her private key, produce a fake shared secret key, and solve for Bob's private key (and use that to solve for the shared secret key. Eve may attempt to choose a public / private key pair that will make it easy for her to solve for Bob's private key).
The protocol is considered secure against eavesdroppers if G and g are chosen properly. The eavesdropper ("Eve") would have to solve the DiffieHellman problem to obtain g^{ab}. This is currently considered difficult. An efficient algorithm to solve the discrete logarithm problem would make it easy to compute a or b and solve the DiffieHellman problem, making this and many other public key cryptosystems insecure.
The order of G should be prime or have a large prime factor to prevent use of the PohligHellman algorithm to obtain a or b. For this reason, a Sophie Germain prime q is sometimes used to calculate p=2q+1, called a safe prime, since the order of G is then only divisible by 2 and q. g is then sometimes chosen to generate the order q subgroup of G, rather than G, so that the Legendre symbol of g^{a} never reveals the low order bit of a.
If Alice and Bob use random number generators whose outputs are not completely random and can be predicted to some extent, then Eve's task is much easier.
The secret integers a and b are discarded at the end of the session. Therefore, DiffieHellman key exchange by itself trivially achieves perfect forward secrecy because no longterm private keying material exists to be disclosed.
In the original description, the DiffieHellman exchange by itself does not provide authentication of the communicating parties and is thus vulnerable to a maninthemiddle attack. A person in the middle may establish two distinct DiffieHellman key exchanges, one with Alice and the other with Bob, effectively masquerading as Alice to Bob, and vice versa, allowing the attacker to decrypt (and read or store) then reencrypt the messages passed between them. A method to authenticate the communicating parties to each other is generally needed to prevent this type of attack.
A variety of cryptographic authentication solutions incorporate a DiffieHellman exchange. When Alice and Bob have a public key infrastructure, they may digitally sign the agreed key, or g^{a} and g^{b}, as in MQV, STS and the IKE component of the IPsec protocol suite for securing Internet Protocol communications. When Alice and Bob share a password, they may use a passwordauthenticated key agreement form of DiffieHellman, such as the one described in ITUT Recommendation X.1035.
DiffieHellman key exchange (DH) is a cryptographic protocol that allows two parties that have no prior knowledge of each other to securely agree on a shared secret key over an insecure communications channel. Then they use this key to encrypt subsequent communications using a symmetrickey cipher.
Synonyms of DiffieHellman key exchange include:
The scheme was first published publicly by Whitfield Diffie and Martin Hellman in 1976, DiffieHellman key agreement itself is an anonymous (nonauthenticated) keyagreement protocol, it provides the basis for a variety of authenticated protocols, and is used to provide perfect forward secrecy in Transport Layer Security's shortlived modes.
In the original description papers, the DiffieHellman exchange by itself does not provide authentication of the communicating parties and is thus susceptible to a maninthemiddle attack. An attacking person in the middle may establish two different DiffieHellman key exchanges, with the two members of the party "A" and "B", appearing as "A" to "B", and vice versa, allowing the attacker to decrypt (and read or store) then reencrypt the messages passed between them. A method to authenticate the communicating parties to each other is generally needed to prevent this type of attack.
Many cryptographic authentication solutions include a DiffieHellman exchange. When two parties "A" and "B" have a public key infrastructure, they may digitally sign the agreed key "G", or G^{A} and G^{B}, as in MQV, STS and the IKE component of the IPsec protocol suite for securing Internet Protocol communications. When "A" and "B" share a password, they may use a passwordauthenticated key agreement form of DiffieHellman.
