The Diffie-Hellman protocol allows two parties to establish a shared secret over insecure channels, such as the Internet. This protocol allows a secure shared key interchange over the public network, such as the World Wide Web, before any secure session and data transfer is initiated. Diffie-Hellman ensures that, by exchanging just the public portions of the key, both devices can generate a session and ensure that data is encrypted and decrypted by valid sources only. Only public keys (clear text) are exchanged over the public network. Using each device's public key and running the key through the Diffie-Hellmann algorithm generates a common session key. Only public keys will ever be exchanged.
Figure 4-7 displays the Diffie-Hellman exchange between Cisco routers, R1 and R2.
Figure 4-7 Diffie-Hellman Key Exchange
R1 Private Key and 1 R1 Private Key and
Public Key 1. Public keys are exchanged ' 1 ' Public Key in clear text.
2. Random Integer _2_2. Random Integer generated. generated.
+ prime number "A" <-> + prime number "B"
3.Each router uses the random integer to generate a private key. 4
f 4. R1 and R2 then combine with \
the known prime number A and B to generate a public key.
The Diffie-Hellman key exchange takes place over a public domain. With the private key kept secret, it is very difficult for an outside intruder to generate the same key, and the private key is never exchanged over the public domain, making the process very secure.
The shared prime numbers (mathematically, a prime number is any positive integer greater than 1 and divisible without a remainder only by 1 and itself) have a special relationship that makes agreeing on a shared secret possible. An analogy would be to have two milkshake blenders making a chocolate milkshake, but with one blender supplied with apples and the other with oranges. The Diffie-Hellman algorithm is the secret ingredient that, when mixed in with both blenders, produces the chocolate milkshake. Remember, it really is a superb algorithm.
NOTE RSA is another public key cryptographic algorithm (named after its inventors, Rivest, Shamir, and Adleman) with a variable key length. RSA's main weakness is that it is significantly slow to compute compared to popular secret-key algorithms, such as DES or 3DES. The Cisco IKE implementation uses a Diffie-Hellman exchange to get the secret keys. This exchange can be authenticated with RSA (or preshared keys). With the Diffie-Hellman exchange, the DES key never crosses the network, which is not the case with the RSA encryption and signing techniques. RSA is public domain like DES/3DES, and to apply RSA, you must be licensed from RSA Data Security. RSA is also approved by the U.S. government. An RSA signature is defined as the host (for example, PC or routers) public and private key, which is bound with a digital certificate. With RSA, only the public key is ever transmitted—the private key is never shared.
Was this article helpful?