What is Diffie-Hellman

Diffie-Hellman (DH) is a key exchange protocol published in 1976 by Whitfield Diffie and Martin Hellman. It solves a fundamental problem: two parties who have never communicated before can agree on a shared secret key over a completely public channel, without ever transmitting the secret itself.

How it works

The classic version uses modular arithmetic:

1. Alice and Bob publicly agree on a large prime p and a generator g.
2. Alice picks a secret number a, computes A = g^a mod p, and sends A to Bob.
3. Bob picks a secret number b, computes B = g^b mod p, and sends B to Alice.
4. Alice computes s = B^a mod p. Bob computes s = A^b mod p. Both arrive at the same shared secret s.

An eavesdropper sees p, g, A, and B, but computing a or b from those values requires solving the discrete logarithm problem — which is computationally infeasible for large primes.

The modern version uses elliptic curves instead of modular arithmetic. ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) generates a new key pair for every connection, providing forward secrecy: compromising the server's long-term private key cannot decrypt past sessions because each session used a unique ephemeral key that no longer exists.

The shared secret produced by Diffie-Hellman is never used directly as an encryption key. It passes through a key derivation function (KDF) to produce the actual AES session keys.

Why it matters

Diffie-Hellman is how TLS establishes encrypted connections. Every HTTPS request, every SSH session, every VPN tunnel begins with a Diffie-Hellman key exchange. TLS 1.3 mandates ECDHE for every connection — there is no fallback. Understanding Diffie-Hellman is understanding how two strangers on the internet create a private channel.

See How Key Exchange Works for the full walkthrough.