I don't understand how it works. I only found explanations about the key exchange, but what about the actual encryption and decryption?
Do you use the session key $K$ with a symmetric algorithm?
Do you use something similar to RSA like $m^d \bmod n$?
Asked
Active
Viewed 4,610 times
5
kelalaka
- 49,797
- 12
- 123
- 211
OstrichDog
- 53
- 1
- 3
2 Answers
12
The purpose of Diffie-Hellman is solely to establish a shared key, $K$. Taken from Wikipedia:
Traditionally, secure encrypted communication between two parties required that they first exchange keys by some secure physical means, such as paper key lists transported by a trusted courier. The Diffie–Hellman key exchange method allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure channel. This key can then be used to encrypt subsequent communications using a symmetric key cipher.
I bolded the segments above to point out two things that I think are worth calling out here:
- $K$ is being created over a public, insecure channel. That is really the core benefit of a Diffie-Hellman key exchange.
- There is no requirement that you use the shared key for anything in particular. $K$ could be used to encrypt further communication, but could also be used as a seed to a pseudorandom number generator, or in any other case where establishing a shared piece of secret data might be useful (and, again, where it is beneficial to do so effectively in public).
So while Diffie-Hellman is often used to permit encryption and decryption of data, the actual use of $K$ is left to the two parties involved to decide.
Additionally, as pointed out by @fgrieu in a comment, it is often wise to pass $K$ through a key derivation function in order to limit any weakness caused by the mathematical nature of the shared secret, or to expand the shared secret to a desired length (e.g. so it can be split it into several keys to be used for different purposes). So even where $K$ is used to facilitate encryption, it is often not used directly as a symmetric key.
As pointed out by @ComFreek, Diffie-Hellman does not inherently provide authentication of the other party, opening it up to the possibility of man-in-the-middle attacks. If the keys involved are previously known or able to be verified through a PKI system, Diffie-Hellman is sufficient. But if you are not able to directly verify the authenticity of the public key, the rest of your protocol should include some form of authentication that the other party is the who you believe it to be.
thesquaregroot
- 1,289
- 14
- 25
5
the answer provided by @thesquaregroot is sufficient. However, I will only add the following:
We can achieve something similar to RSA encryption by using Diffie-Hellman construction. This can be done by using ElGamal encryption scheme.
Suppose say a server has the secret-public key pair ($s, y=g^s$). To send a message to the server, you proceed as follows:
- You uniformly at random generates $k$ and computes $c_1=g^k$.
- then you encrypt your message $m$ as $c_2=m \cdot y^k$ and send $[c_1,c_2]$
- to decrypt your message, the server computes $(c_1^{s})^{-1}=g^{-ks}$. Then, it obtains $m$ as follows: $m= m \cdot g^{ks} \cdot g^{-ks}=m \cdot g^0=m \cdot 1$
