Diffie–Hellman key exchange (Example in Golang)

Emin MuhammadiEmin Muhammadi
5 min read

The Diffie-Hellman key exchange protocol, named after its inventors Whitfield Diffie and Martin Hellman, is a fundamental method in cryptography for securely exchanging cryptographic keys over a public channel. Published in 1976, it was one of the earliest practical implementations of public-key cryptography, introducing the concept of a private key and corresponding public key.

At its core, Diffie–Hellman enables two parties to generate a shared secret key over a public channel, which can then be used for secure communication. The algorithm relies on the computational complexity of the discrete logarithm problem for its security.

The Diffie-Hellman key exchange (DHKE) is a fundamental cryptographic protocol that enables two parties to establish a shared secret key over an insecure channel. This shared secret can then be used for encrypted communication. Here's a detailed cryptographic explanation of how the Diffie-Hellman key exchange works:

  • Parameter Selection: Before starting the key exchange, both parties agree on certain parameters:
    Modulusp: A prime number used for modular arithmetic.
    Baseg: A primitive root modulo p, meaning g generates all possible residues when raised to different powers modulo p.

  • Private Key Generation: Each party generates its own private key:
    Alice chooses a random secret integer PrivK_A
    Bob chooses a random secret integer PrivK_B

  • Public Key Calculation:
    Alice calculates her public key PubK_A by computing PubK_A = (g ^ PrivK_A) mod  p
    Bob calculates her public key PubK_B by computing PubK_B = (g ^ PrivK_B) mod  p

  • Exchange of Public Keys: Alice and Bob exchange their public keys over the insecure channel.

  • Shared Secret Calculation:

    Alice computes the shared secret secret_A using Bob's public key secret_A = (PubK_B ^ PrivK_A) mod p
    Bob computes the shared secret secret_B using Alice's public key secret_B = (PubK_A ^ PrivK_B) mod p

  • Key Derivation: Both Alice and Bob arrive at the same shared secretw, which can now be used as a symmetric encryption key.

  • Encryption and Decryption: Now that Alice and Bob share a secret key, they can use symmetric encryption algorithms (like AES) to encrypt and decrypt their messages securely.

While Diffie–Hellman provides a robust framework for key exchange, its security relies on the difficulty of solving the discrete logarithm problem. Factors such as the size of the prime modulus and the choice of base influence the algorithm's resistance to attacks.

Over the years, researchers have identified potential vulnerabilities in Diffie–Hellman, particularly concerning the size of the prime modulus and the risk of precomputation attacks. Mitigating these challenges often involves using larger prime moduli or transitioning to elliptic curve cryptography.

Diffie–Hellman finds extensive use in various cryptographic protocols and systems. It forms the basis for establishing forward secrecy in protocols like Transport Layer Security (TLS) and is employed in public key encryption schemes, password-authenticated key agreement, and more.

Overall, the Diffie-Hellman key exchange provides a secure method for establishing a shared secret key between two parties without prior communication, enabling them to securely communicate over an insecure channel.

Implementation

In this example, we'll implement the Diffie–Hellman key exchange algorithm in Go (Golang). This algorithm allows two parties (Alice and Bob) to establish a shared secret over an insecure communication channel. We'll walk through the implementation step by step, explaining each part along the way. Let's get started!

package main

import (
    "crypto/rand"
    "fmt"
    "math/big"
)

func generatePrime() *big.Int {
    prime, _ := rand.Prime(rand.Reader, 256) // Generating a 256-bit prime number
    return prime
}

func generatePrivateKey(prime *big.Int) *big.Int {
    privateKey, _ := rand.Int(rand.Reader, prime)
    return privateKey
}

func calculatePublicKey(prime, privateKey, base *big.Int) *big.Int {
    publicKey := new(big.Int).Exp(base, privateKey, prime)
    return publicKey
}

func calculateSharedSecret(prime, privateKey, publicKey *big.Int) *big.Int {
    sharedSecret := new(big.Int).Exp(publicKey, privateKey, prime)
    return sharedSecret
}

func main() {
    // Alice and Bob agree on a natural number P a generating element G
    // in the finite cyclic group G of order n
    // Which is known to everyone
    P := generatePrime()
    G := big.NewInt(2) // G is a primitive root modulo P (generator)

    // Alice and Bob generate their private keys
    // PrivK = random number between 1 and P-1
    PrivK_A := generatePrivateKey(P)
    PrivK_B := generatePrivateKey(P)

    // Alice and Bob calculate their public keys
    // PubK = G^PrivK mod P
    PubK_A := calculatePublicKey(P, PrivK_A, G)
    PubK_B := calculatePublicKey(P, PrivK_B, G)

    // Now Alice and Bob exchange their public keys
    // and calculate the shared secret
    // shared_secret = PrivK^PubK mod P
    secret_A := calculateSharedSecret(P, PrivK_A, PubK_B)
    secret_B := calculateSharedSecret(P, PrivK_B, PubK_A)

    // If the shared secrets match, then Alice and Bob have
    // successfully established a shared secret
    if secret_A.Cmp(secret_B) == 0 {
        fmt.Printf("Shared secret: %s\n", secret_A.Text(16))
    } else {
        fmt.Println("Shared secret mismatch")
    }
}

In the main part of the code:

  • We generate a prime number P and a base number G. These are agreed upon by both parties.

  • Then, both Alice and Bob generate their own private keys (PrivK_A and PrivK_B) using the generatePrivateKey() function.

  • They calculate their respective public keys (PubK_A and PubK_B) using the calculatePublicKey() function.

  • Next, they exchange their public keys.

  • Finally, they calculate the shared secret using each other's public keys and their own private keys. If the shared secrets match, it means they have successfully established a shared secret.

The purpose of this code is to demonstrate a simplified version of the Diffie-Hellman key exchange algorithm, which allows two parties to securely establish a shared secret over an insecure channel.

10
Subscribe to my newsletter

Read articles from Emin Muhammadi directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Emin Muhammadi
Emin Muhammadi

Software & QA Engineer, Cybersec enthusiast (Website https://eminmuhammadi.com)