Diffie–Hellman key exchange (Example in Golang)
The Diffie-Hellman key exchange protocol, named after its inventors Whitfield Diffie and Martin Hellman, is a fundamental method in cryptography for securely exchanging cryptographic keys over a public channel. Published in 1976, it was one of the earliest practical implementations of public-key cryptography, introducing the concept of a private key and corresponding public key.
At its core, Diffie–Hellman enables two parties to generate a shared secret key over a public channel, which can then be used for secure communication. The algorithm relies on the computational complexity of the discrete logarithm problem for its security.
The Diffie-Hellman key exchange (DHKE) is a fundamental cryptographic protocol that enables two parties to establish a shared secret key over an insecure channel. This shared secret can then be used for encrypted communication. Here's a detailed cryptographic explanation of how the Diffie-Hellman key exchange works:
Parameter Selection: Before starting the key exchange, both parties agree on certain parameters:
Modulusp
: A prime number used for modular arithmetic.
Baseg
: A primitive root modulop
, meaningg
generates all possible residues when raised to different powers modulop
.Private Key Generation: Each party generates its own private key:
Alice chooses a random secret integerPrivK_A
Bob chooses a random secret integerPrivK_B
Public Key Calculation:
Alice calculates her public keyPubK_A
by computingPubK_A = (g ^ PrivK_A) mod p
Bob calculates her public keyPubK_B
by computingPubK_B = (g ^ PrivK_B) mod p
Exchange of Public Keys: Alice and Bob exchange their public keys over the insecure channel.
Shared Secret Calculation:
Alice computes the shared secret
secret_A
using Bob's public keysecret_A = (PubK_B ^ PrivK_A) mod p
Bob computes the shared secretsecret_B
using Alice's public keysecret_B = (PubK_A ^ PrivK_B) mod p
Key Derivation: Both Alice and Bob arrive at the same shared secretw, which can now be used as a symmetric encryption key.
Encryption and Decryption: Now that Alice and Bob share a secret key, they can use symmetric encryption algorithms (like AES) to encrypt and decrypt their messages securely.
While Diffie–Hellman provides a robust framework for key exchange, its security relies on the difficulty of solving the discrete logarithm problem. Factors such as the size of the prime modulus and the choice of base influence the algorithm's resistance to attacks.
Over the years, researchers have identified potential vulnerabilities in Diffie–Hellman, particularly concerning the size of the prime modulus and the risk of precomputation attacks. Mitigating these challenges often involves using larger prime moduli or transitioning to elliptic curve cryptography.
Diffie–Hellman finds extensive use in various cryptographic protocols and systems. It forms the basis for establishing forward secrecy in protocols like Transport Layer Security (TLS) and is employed in public key encryption schemes, password-authenticated key agreement, and more.
Overall, the Diffie-Hellman key exchange provides a secure method for establishing a shared secret key between two parties without prior communication, enabling them to securely communicate over an insecure channel.
Implementation
In this example, we'll implement the Diffie–Hellman key exchange algorithm in Go (Golang). This algorithm allows two parties (Alice and Bob) to establish a shared secret over an insecure communication channel. We'll walk through the implementation step by step, explaining each part along the way. Let's get started!
package main
import (
"crypto/rand"
"fmt"
"math/big"
)
func generatePrime() *big.Int {
prime, _ := rand.Prime(rand.Reader, 256) // Generating a 256-bit prime number
return prime
}
func generatePrivateKey(prime *big.Int) *big.Int {
privateKey, _ := rand.Int(rand.Reader, prime)
return privateKey
}
func calculatePublicKey(prime, privateKey, base *big.Int) *big.Int {
publicKey := new(big.Int).Exp(base, privateKey, prime)
return publicKey
}
func calculateSharedSecret(prime, privateKey, publicKey *big.Int) *big.Int {
sharedSecret := new(big.Int).Exp(publicKey, privateKey, prime)
return sharedSecret
}
func main() {
// Alice and Bob agree on a natural number P a generating element G
// in the finite cyclic group G of order n
// Which is known to everyone
P := generatePrime()
G := big.NewInt(2) // G is a primitive root modulo P (generator)
// Alice and Bob generate their private keys
// PrivK = random number between 1 and P-1
PrivK_A := generatePrivateKey(P)
PrivK_B := generatePrivateKey(P)
// Alice and Bob calculate their public keys
// PubK = G^PrivK mod P
PubK_A := calculatePublicKey(P, PrivK_A, G)
PubK_B := calculatePublicKey(P, PrivK_B, G)
// Now Alice and Bob exchange their public keys
// and calculate the shared secret
// shared_secret = PrivK^PubK mod P
secret_A := calculateSharedSecret(P, PrivK_A, PubK_B)
secret_B := calculateSharedSecret(P, PrivK_B, PubK_A)
// If the shared secrets match, then Alice and Bob have
// successfully established a shared secret
if secret_A.Cmp(secret_B) == 0 {
fmt.Printf("Shared secret: %s\n", secret_A.Text(16))
} else {
fmt.Println("Shared secret mismatch")
}
}
In the main part of the code:
We generate a prime number
P
and a base numberG
. These are agreed upon by both parties.Then, both Alice and Bob generate their own private keys (
PrivK_A
andPrivK_B
) using thegeneratePrivateKey()
function.They calculate their respective public keys (
PubK_A
andPubK_B
) using thecalculatePublicKey()
function.Next, they exchange their public keys.
Finally, they calculate the shared secret using each other's public keys and their own private keys. If the shared secrets match, it means they have successfully established a shared secret.
The purpose of this code is to demonstrate a simplified version of the Diffie-Hellman key exchange algorithm, which allows two parties to securely establish a shared secret over an insecure channel.
Subscribe to my newsletter
Read articles from Emin Muhammadi directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Emin Muhammadi
Emin Muhammadi
Software & QA Engineer, Cybersec enthusiast (Website https://eminmuhammadi.com)