I’ve Got a Secret – Key, That Is

How many of you use VPN? VPN stands for Virtual Private Network and if you work for a large company or do business with a large company then chances are you log in to your network via a Virtual Private Network. A VPN is a network within a larger network such as the Internet or a company LAN. But the VPN is not characterized by the physical wires. Instead the VPN uses open connections or virtual circuits through the larger network.

VPNs can enable secure communications over the public network by using authentication or encryption. One of the ways to secure communications of the VPN is by using a shared secret key such as is generated by the Diffie-Hellman cryptographic algorithm.

The Diffie-Hellman key exchange allows two computer users to jointly establish a shared secret key without ever having to know of one another. Later, this key can be used for encrypting subsequent communications across an insecure channel using a symmetric key cipher.  Keep in mind that the Diffie-Hellman algorithm does not encrypt data nor does is it used to make digital signatures. The algorithm is used only for generating a shared secret.

The company I work for uses the Diffie-Hellman key exchange whenever I log in to our VPN either from home or from some other remote location.

The Diffie-Hellman protocol involves the use of prime numbers. The two users first agree on a non-secret public value, S, which is pre-shared between the two users.  The next step requires the two users to generate two values each: a public value, Y, and a private value, X. The private value is generated first and is randomly chosen based on the non-secret pre-shared public value of S. The public value is generated next and is based on the private value using modular exponentiation. Because of the mathematics involved the two values – non-secret pre-shared S and private X value – are mathematically related and it is intractable to determine the private X value if given the non-secret pre-shared S value.

Next, each user’s public Y values are exchanged (traded) between the two users. The final step is for each user to compute a shared secret value, Z, which will be used as a symmetric key. It can also be used as a seed value to generate a symmetric key.  The computation of Z is equal to the public value, Y, taken to the power of X then modulo S. Each user uses the exchanged (traded) value of Y in their computation of Z, the shared secret value.

Written by Mike Rede

Leave A Reply