Diffie-Hellman Key Exchange

The Diffie-Hellman key exchange algorithm, which is named after its inventors, solves the problem of securely distributing keys by removing the need to transmit secret keys. When two hosts wish to use the Diffie-Hellman algorithm to exchange keys, they agree to use the same numerical values for the key basis (g) and modulus (p). Each host generates a large (512-, 1024-, or 2048-bit) random number (x) as a private key, and then uses this private key to generate a public key g^x mod p.

Once a user's private and public keys have been calculated, SunScreen SKIP creates the user's public certificate. This certificate contains the public key value, the g and p values used to compute the public key, and other information, such as the period for which the certificate is valid.

SunScreen SKIP hosts exchange their public certificates with one another freely. When two hosts wish to communicate securely, each host calculates a mutually authenticated shared secret based solely on knowledge of its private key and the other host's public key.

For example, host I would select a random number i as a private key and then generate a public key gⁱ mod p. Similarly, host J would select a random number j as a private key and then generate a public key gj mod p. The two hosts then exchange their public keys over secure or insecure links. Host I raises J's public key (g^j mod p) to the power of its private key i, yielding (g^j)ⁱ mod p or g^ji mod p. Host J raises I's public key (gⁱ mod p) to the power of its private key j, yielding (gⁱ)^j mod p or g^ij mod p. Consequently, hosts I and J can derive a mutually authenticated long-term secret g^ij mod p implicitly (without explicit communication). Since no one other than I and J have access to their private keys, no one other than I and J can compute g^ij mod p.

The two hosts then take the low-order bits of g^ij mod p to derive a pairwise master key K_ij. K_ij is an implicit shared master key that does not need to be sent in any packet or negotiated out of band.

In theory, the two hosts could use their shared master key K_ij to encrypt messages. However, doing so might expose K_ij to analysis and eventual decryption. Instead, SunScreen SKIP uses a rapidly-changing series of traffic keys to encrypt messages traveling between the two hosts, and uses a modified version of K_ij to encrypt these traffic keys. See "Perfect Forward Secrecy", below, for more information.