Home Page


Email & Spam

Security Terminology

Security Topics

VPN & Cryptography





VPN Terminology

VPN Tutorial Guide



Aggressive Mode

Authentication Header

Asymmetric Encryption


Certification Authority

Data Integrity



Digital Certificate

Dynamic IP addresses





IPSec Quick Mode


Main Mode







Pre-Shared Key

Remote Access User


Security Association


Site to Site VPN


Transform Sets

Tunnel mode and Transport mode

VPN client tunneling option

VPN Topologies

VPN Tunnel


Security Products Guide

Which Anti-Virus Software?

Which Firewall?

Which Spam Filter?

Which Internet Security Suite?


What is Guide

What is a Firewall?

What is a Virus?

What is Spam?


Essential Security Guides

Securing Windows XP Guide

Securing Windows Vista Guide

A Guide to Wireless Security



Top 8 Internet Security tips

Why both, Firewall and Anti Virus?

Free or purchased security - Which one?



Diffie Hellman Encryption Tutorial - Cryptography on Public keys




Diffie-Hellman is an asymmetric key algorithm used for public key cryptography. As well as IPSec it is also used for SSL, SSH, PGP and other PKI systems.

The Diffie-Hellman algorithm was created to address the issue of secure encrypted keys from being attacked over the internet when in transmission, though using the Diffie-Hellman algorithm in distributing symmetric keys securely over the internet.

The process works by two peers generating a private and a public key. Peer A would send it’s public key to peer B and peer B would send it’s public key to peer A. Peer A would then use the public key sent from peer B and it’s own private key to generate a symmetric key using the Diffie-Hellman algorithm. Peer B would also take the same process as peer A and in turn produce the exact same symmetric key as peer A, though enabling them to communicate securely over the in-secure internet. Both peers can now encrypt, transmit and decrypt data using their symmetric keys.

However some concerns were found later within the Diffie-Hellman algorithm such as Man-in-the-middle attacks as there is no authentication in place before keys are exchanged. How would peer B know that it is about to exchange keys with peer A? It could easily be a hacker spoofing peer A’s identity. This led to the more advanced public key cryptography in RSA. However using authentication methods such as pre-shared keys and digital certificates to authenticate VPN gateways have overcome this issue. So using Diffie-Hellman along side authentication algorithms is a secure and approved solution. Diffie-Hellman is based on calculating discrete logarithms in a finite field.

Diffie-Hellman public key cryptography is used by all major VPN gateway's today, supporting Diffie-Hellman groups 1,2 and 5. DH group 1 consists of a 768 bit key, group 2 consists of 1024 bit key and group 5 comes with 1536 bit key. Group 5 is the strongest and most secure.

Diffie-Hellman just does key exchange and does not do data encryption, digital signatures or any authentication.

As well as Diffie-Hellman, some other asymmetric encryption algorithms are RSA, ECC, El Gamal, DSA, LUC and Knapsack.

Further Reading

Wikipedia's guide to Diffie-Hellman Key Exchange