Diffie Hellman Key Exchange Algorithm

In an interview, one may be asked how an security connection is established between two endpoints using TLS protocol. He may answer the below steps:

1. A client sends a ClientHello message to a server with the client capabilities
2. The server responds with a ServerHello message carrying the selected parameters.
3. The server sends its certificate to the client
4. The client verifies the certificate, and uses the public key contained in the certificate to encrypt an shared secret key, and sends it to the server.
5. The server decrypts the shared secret key using its private key and use the shared secret as the symmetric key

Now the client and the server have the same symmetric key, which is transferred securely. This may be the case in TLS 1.2, However, in TLS 1.3, RSA key exchange is no longer supported. The Diffie Hellman key exchange algorithm can be used.

Strictly speaking, Diffie Hellman algorithm is not a key exchange algorithm, but a key agreement algorithm, because the real symmetric key is not exchanged over the connection. The information exchanged between two endpoints can be used to build the same symmetric key for both parties. The algorithm description can be found in the below article. It is good enough so I won’t bother to write in my own words.


Due to the great firewall, this article may not be accessible for the mainland of China.

For potential copyright risk, I won’t copy the article in my blog. I will just show the image that describes the flow of the algorithm as below:

From this picture, you can easily see how the same symmetric key is established between two endpoints. It uses color as demonstration. Behind the scene, the algorithm is supported by mathematical theory, involving Discrete Logarithm Problem.