Key Exchange: How Two Strangers Agree on a Secret
Diffie-Hellman lets two parties derive a shared secret over a public channel — without ever transmitting the secret itself. It's the mechanism behind every TLS connection.
RSA solves the key exchange problem in one direction: encrypt something with my public key and only I can decrypt it. But RSA is slow, and there's a deeper problem — if you want both parties to derive the same fresh key independently, without transmitting the key itself, you need something different.
Diffie-Hellman (DH) solved this in 1976. Two parties can agree on a shared secret over a completely public channel, with an eavesdropper watching every message, and the eavesdropper learns nothing about the secret.
The paint analogy
The standard explanation: start with a public colour (yellow). Alice picks a secret colour (red) and mixes them, producing orange. Bob picks a secret colour (blue) and mixes them, producing green. They exchange the mixed colours publicly. Alice takes Bob's green and adds her secret red, getting a brown. Bob takes Alice's orange and adds his secret blue, getting the same brown. The shared brown is the secret — an eavesdropper who saw yellow, orange, and green can't reverse the mixing to find it.
The maths replaces colour mixing with modular exponentiation. Combining exponents is easy; finding which exponents were used is the discrete logarithm problem, which is computationally hard for large numbers.
Ephemeral keys and forward secrecy
Classic DH uses fixed parameters. If someone records your encrypted traffic today and later compromises your long-term key, they can decrypt everything retroactively.
DHE (Diffie-Hellman Ephemeral) generates fresh key pairs for every session. Even if your long-term key is compromised, past sessions can't be decrypted — the ephemeral keys were discarded after the session. This property is called forward secrecy (or perfect forward secrecy, PFS).
TLS 1.3 removed all non-forward-secret cipher suites. Every TLS 1.3 connection uses ECDHE — the ephemeral elliptic curve variant. This is why TLS 1.3 is a meaningful security improvement over 1.2, not just a speed improvement.
The man-in-the-middle problem
DH is vulnerable to active attacks. If Mallory sits between Alice and Bob and intercepts their key exchange, she can perform separate DH exchanges with each — one with Alice, one with Bob — and relay traffic between them while reading everything. Alice and Bob each think they've established a secure channel, but Mallory is in the middle.
The fix is authentication. TLS uses certificates to prove the server's public key is legitimate — signed by a certificate authority your browser trusts. Without that binding, DH is an eavesdropping defence, not an impersonation defence.
The Diffie-Hellman tool lets you run an ECDH exchange between Alice and Bob in the browser, then toggle the MITM mode to see exactly what Mallory sees and how the attack works.