# Diffie-Hellman and Security+

Diffie-Hellman might sound a little foreign to you, but if you plan to take the Security+ exam, it’s worth knowing what they are.

## Diffie-Hellman Sample Question

As an example, can you answer this sample question from the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide.

Q. Your organization is investigating possible methods of sharing encryption keys over a public network. Which of the following is the BEST choice?

A. CRL

B. PBKDF2

C. Hashing

D. ECDHE

Answer below

## Diffie-Hellman

Diffie-Hellman is a key exchange algorithm used to privately share a symmetric key between two parties. Once the two parties know the symmetric key, they use symmetric encryption to encrypt the data.

Whitfield Diffie and Martin Hellman first published the Diffie-Hellman scheme in 1976. Interestingly, Malcolm J. Williamson secretly created a similar algorithm while working in a British intelligence agency. It is widely believed that the work of these three provided the basis for public-key cryptography.

Diffie-Hellman methods support both static keys and ephemeral keys.

## Static Versus Ephemeral Keys

The two primary categories of asymmetric keys are static and ephemeral. In general, *static keys *are semipermanent and stay the same over a long period of time. In contrast, *ephemeral keys* have very short lifetimes and are re-created for each session.

### Static Keys

RSA uses static keys. A certificate includes an embedded public key matched to a private key and this key pair is valid for the lifetime of a certificate, such as a year.

Certificates have expiration dates and systems continue to use these keys until the certificate expires. A benefit of static keys is that a CA can validate them with a CRL or using the Online Certificate Status Protocol (OCSP).

### Ephemeral Keys

An ephemeral key pair includes a private ephemeral key and a public ephemeral key. However, systems use these key pairs for a single session and then discard them. Some versions of Diffie-Hellman use static keys and some versions use ephemeral keys.

### Perfect Forward Secrecy

Perfect forward secrecy is an important characteristic that ephemeral keys comply with in asymmetric encryption. Perfect forward secrecy indicates that a cryptographic system generates random public keys for each session and it doesn’t use a deterministic algorithm to do so.

In other words, given the same input, the algorithm will create a different public key. This helps ensure that systems do not reuse keys.

## Diffie-Hellman Versions

RSA is based on the Diffie-Hellman key exchange concepts using static keys.

Two Diffie-Hellman methods that use ephemeral keys are:

**DHE**. Diffie-Hellman Ephemeral (DHE) uses ephemeral keys, generating different keys for each session. Some documents list this as Ephemeral Diffie-Hellman (EDH).**ECDHE**. Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) uses ephemeral keys generated using ECC.

Another version of Diffie-Hellman, Elliptic Curve Diffie-Hellman (ECDH), uses static keys.

### Remember this

Ephemeral keys have very short lifetimes and are re-created for each session. In contrast, static keys are semipermanent and stay the same over a long period of time. Diffie-Hellman Ephemeral (DHE) and Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) both use ephemeral keys

Diffie-Hellman is a secure method of sharing symmetric encryption keys over a public network. Elliptic curve cryptography is commonly used with small wireless devices. ECDHE is a version of Diffie-Hellman that uses elliptic curve cryptography to generate encryption keys.

## Diffie-Hellman Answer

Q. Your organization is investigating possible methods of sharing encryption keys over a public network. Which of the following is the BEST choice?

A. CRL

B. PBKDF2

C. Hashing

D. ECDHE

Answer below

**D.** Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) allows entities to negotiate encryption keys securely over a public network.

Password-Based Key Derivation Function 2 (PBKDF2) is a key stretching technique designed to make password cracking more difficult.

A certificate revocation list (CRL) identifies revoked certificates and is unrelated to sharing encryption keys.

Hashing methods do not support sharing encryption keys over a public network.

See Chapter 10 of the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide for more info on ECDHE.

Pass the Security+ exam the first time!

CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide