Practical Cryptography for Developers
  • Welcome
  • Preface
  • Cryptography - Overview
  • Hash Functions
    • Crypto Hashes and Collisions
    • Hash Functions: Applications
    • Secure Hash Algorithms
    • Hash Functions - Examples
    • Exercises: Calculate Hashes
    • Proof-of-Work Hash Functions
  • MAC and Key Derivation
    • HMAC and Key Derivation
    • HMAC Calculation - Examples
    • Exercises: Calculate HMAC
    • KDF: Deriving Key from Password
    • PBKDF2
    • Modern Key Derivation Functions
    • Scrypt
    • Bcrypt
    • Linux crypt()
    • Argon2
    • Secure Password Storage
    • Exercises: Password Encryption
  • Secure Random Generators
    • Pseudo-Random Numbers - Examples
    • Secure Random Generators (CSPRNG)
    • Exercises: Pseudo-Random Generator
  • Key Exchange and DHKE
    • Diffie–Hellman Key Exchange
    • DHKE - Examples
    • Exercises: DHKE Key Exchange
  • Encryption: Symmetric and Asymmetric
  • Symmetric Key Ciphers
    • Cipher Block Modes
    • Popular Symmetric Algorithms
    • The AES Cipher - Concepts
    • AES Encrypt / Decrypt - Examples
    • Ethereum Wallet Encryption
    • Exercises: AES Encrypt / Decrypt
    • ChaCha20-Poly1305
    • Exercises: ChaCha20-Poly1305
  • Asymmetric Key Ciphers
    • The RSA Cryptosystem - Concepts
    • RSA Encrypt / Decrypt - Examples
    • Exercises: RSA Encrypt / Decrypt
    • Elliptic Curve Cryptography (ECC)
    • ECDH Key Exchange
    • ECDH Key Exchange - Examples
    • Exercises: ECDH Key Exchange
    • ECC Encryption / Decryption
    • ECIES Hybrid Encryption Scheme
    • ECIES Encryption - Example
    • Exercises: ECIES Encrypt / Decrypt
  • Digital Signatures
    • RSA Signatures
    • RSA: Sign / Verify - Examples
    • Exercises: RSA Sign and Verify
    • ECDSA: Elliptic Curve Signatures
    • ECDSA: Sign / Verify - Examples
    • Exercises: ECDSA Sign and Verify
    • EdDSA and Ed25519
    • EdDSA: Sign / Verify - Examples
    • Exercises: EdDSA Sign and Verify
  • Quantum-Safe Cryptography
    • Quantum-Safe Signatures - Example
    • Quantum-Safe Key Exchange - Example
    • Quantum-Safe Asymmetric Encryption - Example
  • More Cryptographic Concepts
    • Digital Certificates - Example
    • TLS - Example
    • One-Time Passwords (OTP) - Example
  • Crypto Libraries for Developers
    • JavaScript Crypto Libraries
    • Python Crypto Libraries
    • C# Crypto Libraries
    • Java Crypto Libraries
  • Conclusion
Powered by GitBook
On this page

Was this helpful?

Key Exchange and DHKE

PreviousExercises: Pseudo-Random GeneratorNextDiffie–Hellman Key Exchange

Last updated 5 years ago

Was this helpful?

In cryptography (key exchange, key negotiation) is a process or protocol, whereby a shared secret becomes available to two parties, for subsequent cryptographic use, typically for encrypted communication. Establishment techniques can be key agreement or key transport schemes.

  • In a key agreement scheme both parties contribute to the negotiation of the shared secret. Examples of key agreement schemes are Diffie-Hellman (DHKE) and Elliptic-Curve Diffie-Hellman (ECDH).

  • In a key transport scheme only one of the parties contributes to the shared secret and the other party obtains the secret from it. Key transport schemes are typically implemented through public-key cryptography, e.g. in the RSA key exchange the client encrypts a random session key by its private key and sends it to the server, where it is decrypted using the client's public key.

By design schemes securely exchange cryptographic keys between two parties, in a way that noone else can obtain a copy of the keys. Typically, at the start of an encrypted conversation (e.g. during the TLS handshake phase), the parties first negotiate about the encryption keys (the shared secret) to be used during the conversation. Key exchange schemes are really important topic in the modern cryptography, because keys are exchanged hundreds of times by million devices and servers in Internet.

A key negotiation (key establishment) scheme is executed every time when a laptop connects to the Wi-Fi network or a Web browser opens a Web site through the https:// protocol. The key negotiation can be based on a annonymous key-exchange protocol (like DHKE), a password or pre-shared key (PSK), a digital certificate or a combination of many elements together. Some communication protocols establish a shared secret key once only, while others constantly change the secret key over the time.

Authenticated Key Exchange (AKE) is the exchange of session key in a key exchange protocol which also authenticates the identities of the involved parties (e.g. through a password, public key or digital certificate). For example, if you connect to a password-protected WiFi network, an authenticated key agreement protocol is used, in most cases password-authenticated key agreement (PAKE). If you connect to a public WiFi network, anonymous key agreement is conducted.

Key Exchange / Key Agreement Algorithms

Many cryptographic algorithms exist for key exchange and key establishment. Some use public-key cryptosystems, others use simple key-exchange schemes (like the Diffie–Hellman Key Exchange), some involve server authentication, some involve client authentication, some use passwords, some use digital certificates or other authentication mechanisms.

Examples of key exchange schemes are: and , and (RSA key transport), , , (Fully Hashed Menezes-Qu-Vanstone), (Ellictic-Curve Menezes-Qu-Vanstone) and (quantum-safe key agreement).

Let's start from the classical Diffie–Hellman Key Exchange (DHКЕ) scheme, which was one of the first public key protocols.

key establishment
key exchange
Diffie–Hellman key exchange (DHКЕ)
Elliptic-curve Diffie–Hellman (ECDH)
RSA-OAEP
RSA-KEM
PSK (pre-shared key)
SRP (Secure Remote Password protocol)
FHMQV
ECMQV
CECPQ1