This is an archive of past discussions. Do not edit the contents of this page. If you wish to start a new discussion or revive an old one, please do so on the current talk page. |
Archive 1 |
Martin Hellman has written:
(See http://www.comsoc.org/livepubs/ci1/public/anniv/pdfs/hellman.pdf, first page.)
In light of Hellman's comment, we should rename the page to "Diffie-Hellman-Merkle key exchange", perhaps with an explanation. (I'll do this if there are no objections.)
I agree that the more widely used term is "Diffie-Hellman".
However, the proper term is "Diffie-Hellman-Merkle". In addition to Hellman's published comment above, US Patent #4200770, which I am told covers this algorithm, credits all three gentlemen as inventors.
The URL of the patent itself: http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=/netahtml/srchnum.htm&r=1&f=G&l=50&s1=4200770.WKU.&OS=PN/4200770&RS=PN/4200770
The patent search page: http://patft.uspto.gov/netahtml/srchnum.htm
"Diffie-Hellman-Merkle" is clearly the proper name for the algorithm.
The question then is whether the Wikipedia should use the popular or the proper term.
First, the policy of the Wikipedia should be to use the appropriate term. An important function of the Wikipedia is to educate. Using outdated terminology does not further this purpose. What is more, we can hardly put on the page that the proper name for the algorithm is "Diffie-Hellman-Merkle", when this is not the term we use ourselves.
Second, the policy of the Wikipedia does actually seem to be to use proper names for things. For example, most people (in the US, anyway) refer to "Czechoslovakia" instead of "The Czech Republic". Yet, the Wikipedia page describing the current country whose capital is Prague is called "The Czech Republic". Similarly, most people incorrectly refer to the nation of Myanmar as "Burma". The Wikipedia (correctly) has a Myanmar page, to which "Burma" is redirected.
Third, I do not believe that it is the role of the Wikipedia to perpetuate an injustice. Merkle was a co-discoverer of the Diffie-Hellman-Merkle algorithm and of public key cryptography. I'm sure you will agree that these were both terribly important to the progress of cryptography. It is not just that he should be marginalized in the Wikipedia or anywhere else, particularly when there is no dispute of fact concerning his contribution.
On the practical side, if we rename the page, people who know the algorithm as simply "Diffie-Hellman" will still continue to find it, just as they do now. I fail to see any harm caused by calling the algorithm by its proper name.
You had me convinced there for a minute, but then I read this:
Calling the algorithm "Diffie-Hellman" is certainly misleading because it suggests it was invented solely by Whitfield Diffie and Martin Hellman. I believe this is also unreasonable. Other than inertia, I know of nobody in possession of the facts who believes the algorithm should be called "Diffie-Hellman", although that is certainly the popular term.
The FAQ you cited does support your interpretation, but it says at the top "This FAQ represents the opinions of some Wikipedians who support the current policy, and is not in itself official Wikipedia policy."
Since we agree the facts belong on the page I'll add a short note at the beginning of the article and then a longer discussion toward the end. Also, I'll create redirection pages for "Diffie-Hellman-Merkle" and "Diffie-Hellman-Merkle key exchange" which will send readers to the "Diffie-Hellman" page. (This is important because if somebody finds "Diffie-Hellman-Merkle" in an article they need to be able to look up the algorithm.)
My sense is that we've reached an impasse on the page title issue, though. I'll re-raise the issue in a few weeks and see if everybody still feels the same way.
Yes, I agree that "Diffie-Hellman" is certainly the popular usage. Some articles seem to start using "Diffie-Hellman-Merkle" and even then revert to "Diffie-Hellman": [ http://www.awprofessional.com/articles/article.asp?p=21409&seqNum=4 Pioneering Public Key: Public Exchange of Secret Keys]
Still, I feel, there are few cases regarding the proper terminology which are as unambiguous as this one. What gives the issue particular weight is the importance of Diffie, Hellman, *and* Merkle's work. A fair number of the pages in the Wikipedia cryptography section - and of the pages still to be written - are about ideas which are a direct consequence of the discovery of public key cryptography. It seems to me especially important that all the discoverers are recognized.
The situation would be less clear if there was a controversy regarding who did what, but I don't think anybody anywhere is arguing that "Diffie-Hellman" is the appropriate term.
Also, if the name change were to result in confusion it would be less clear. For example, the Church-Turing Thesis was anticipated by Babbage. Yet, renaming the page to "The Babbage Thesis" would certainly be pushing the envelope. (It would also be controversial.) If Church and Turing had requested it be called "The Church-Turing-Babbage Thesis", then I would recommend the title of the page be changed.
If Vigenere had publicly requested that the cipher be called the "Vigenere-Belaso Cipher" I would argue that the name be changed. Were Vigenere and Belaso still with us, and had it been unambiguously determined that Vigenere "stole" the discovery, I would probably favor changing the page name to "Belaso Cipher", if it was not controversial.
Nobody believes it should be called Williamson key exchange. (This has little relationship to what we are discussing, but the reason is that Williamson kept his work secret and it had no effect on the development of the art. People are credited not only with being smart, but also with driving the art forward. It is probable that had public key cryptography not been developed publicly, we would never have known of the work of Williamson and the others.)
On a related point, I disagree with your addition of the word "public" to make "public inventors". This implies Merkle's contribution was not public. As we can see from the patent, his participation has been known since at least 1980. If you want to say something like "named after Diffie and Hellman who published an article describing the algorithm in 1977", I would not object. But, I think it best just to drop the word "public".
Regarding the title of the page, I'm content to let the matter rest for the moment.
Okay, I see the sense of "public" now - that's a good distinction to draw. Perhaps we should change the next line to be "Ralph Merkle is a co-inventor." This kills two birds with one stone, because it would be nice to make clear that Merkle didn't invent it independently. And, it seems like it would be a mistake to clutter up the first paragraph with "...published an article...".
P.S. I went ahead and made the Merkle change since I doubt we disagree.
I took another look at Wikipedia:Naming conventions (common names) and these conventions seem to apply to the title of the page only:
Would there be an objection if I left the title of the page alone, but changed all the "Diffie-Hellman" instances to "Diffie-Hellman-Merkle"? I can live with leaving things as they are, but if it's the case that this change is not a problem, I'd like to make it. (I believe that DHM reflects recent scholarship. For example, Simon Singh's book refers to the algorithm as "Diffie-Hellman-Merkle.")
Upon further reflection and some private discussion, I have concluded that I am (cough, cough) in error on the Diffie-Hellman-Merkle issue. Sorry about that, Chief! ;-) Peter Hendrickson
It seems that much of this discussion is moot as Williamson got there first, and it is only a question of how the most widely used misattribution should be phrased. I'm in favor of the WDHM as the term since it properly recognizes Malcolm's precedence and yet includes DHM per the popular (though wrong) term in the literature.
I think we, and Williamson, are stuck with D-H, however unfairly this represents what actually happened first.
Does anyone remember the actual inventor of television, or the man who did the most to develop radio? Nope. Sarnoff iced 'em both.
(ans for those w/o a clue. Philo Farnsworth in the first case, and Edwin Armstrong in the second. In the last case it certainly wasn't Marconi as Tesla beat him to the first pole.) ww 17:19, 1 July 2004 (UTC)
The term key exchange is somewhat misleading as no keys are actually exchanged. Key agreement and key negotiation better capture what this algorithm does. Would anybody object if I were to change exchange to agreement throughout the article, leaving the title of the page unaffected? (I prefer key agreement to key negotiation since the former is more common.)
Term | Count |
---|---|
key exchange | 43,300 |
key agreement | 17,800 |
key negotiation | 12,300 |
Seems to me the Abelian requirement isn't what makes g^xy=g^yx, since the group operation is multiplication rather than exponentiation. x and y are integers, not even group members, since they specify the number of times g is multiplied by itself. So xy=yx because the integers are commutative, and g^x^y=g^xy because that's just a group property according to Exponentiation. So could somebody better at number theory clarify the Abelian requirement, please? Lunkwill 23:00, 6 Aug 2004 (UTC)
I'm not a matematician. I'm not a cryptographer. I'm however a tad interested in the subject. The description of the algorithm in the article is:
Now, I always thought the key exchange went something like this:
1. Alice and Bob agree on the public variables 'g' and 'p'.
2. Alice picks a random natural number a and sends g^a mod p = A .. to Bob
3. Bob picks a random natural number b and sends g^b mod p = B .. to Alice
4. Alice computes B^a mod p , and gets the shared secret.
5. Bob computes A^b mod p , and gets the shared secret
This is also how it is explained in: http://www.nyx.net/~awestrop/crypt/dh.htm
I kind of feel that the "variable" p is missing in the general description. I'm not quite familiar with group theory; I just have a "vague" understanding that you might have omitted any reference to mod p, assuming it is already understood as the definition of the group operation. I suppose p is the order of G? What about mentioning it explicitly? Erizzaaaaa ( talk) 02:05, 1 January 2010 (UTC)
Which algorithms are used for g and p (the prime and the primitive)? Thanks, -- Abdull 10:48, 29 March 2006 (UTC)
A minor point, but the article says:
Of course, much larger values of a,b, and p would be needed to make this example secure, since it is easy to try all the possible values of gab mod 23 (there will be, at most, 22 such values, even if a and b are large).
Shouldn't that be 23 such values, since 0 is possible? Or am I missing something? ManaUser 04:26, 21 September 2006 (UTC)
NO. It is 22 because it is the
Multiplicative group of integers modulo n --
MagnusPI (
talk) 11:40, 27 November 2007 (UTC)
The article claims
According to Lenstra computing discrete logarithms in modulo a 300 digits (about 1000 bits) is roughly equivalent to a 74 bit symmetric cipher, which is claimed to be secure until about 2006. Thus 300 digits or 1000 bits seems to be just about the minimal size for p today. 67.84.116.166 05:08, 21 September 2006 (UTC)
Any particular reason for the apparently arbitrary renaming of "Alice" to "Jana" in the examples in this article? I was going to revert the article, since "Alice" and "Bob" are overwhelmingly accepted as the standard example names, but since the editor went as far as editing a diagram in the article, I wondered if there was a legitimate reason for it... -- stephenw32768< talk> 23:41, 17 November 2006 (UTC)
Okay in the security section it says this:
But in the description section it says that:
Well which is it? What value should I pick for g?
This is just to help people, like myself, who are new to crypto and are following the example. I found the tables for Alice and Bob, with columns 'Sec' and 'Calc' to be very helpful. However, I kept scratching my head wondering "how did Bob get 'a' found in row 5?". Then I got it: Bob did not get a, but Bob got A.
I think it would be very helpful to replace the (g^a mod p) with A, and perhaps a note indicating that A = (g^a mod p) as a calculated value. I think this would help newbies like me.
Thanks, -- Natersoz 17:31, 14 February 2007 (UTC)
I removed a link to an online paper describing a Diffie-Hellman key exchange between multiple parties, because the scheme described there is fully anticipated. If there is a wish to include a group Diffie-Hellman key exchange into this article then for example the following paper can be used as a reference: E. Bresson et al., "Provably authenticated group Diffie-Hellman key exchange", Proceedings of the 8th ACM conference, 2001. 85.2.20.96 19:12, 20 March 2007 (UTC)
I'm a non-expert, but isn't D-H exchange very slow? I didn't see that scanning through the article, but it's an important drawback -- otherwise people might wonder why we don't all just use D-H to exchange keys for one-time pads or something?
— Preceding unsigned comment added by 71.194.163.223 ( talk) 14:50, 19 July 2007 (UTC)
How about a (sub)section on DH Groups? I only know of four and don't exactly know how they are classified or where the classifications are determined. AlephGamma ( talk) 00:13, 7 December 2007 (UTC)
[1] -- 68.161.148.207 ( talk) 09:30, 27 April 2008 (UTC)
The article states that g is frequently small, just 2 or 5. While the algorithm would work with those values, it would be more secure to actually choose g as a primitive root of the group. This is unlikely to be 2 or 5 for a 300+ digit prime P. And furthermore, with only a 100-digit "a" and "b" on each side, that small value for g is unlikely to give a good mashing up of its value through modular exponentiation (i.e., bit rotation and chopping).
And even if you were to use much larger values for "a" and "b" exponents, the poor choice of g might very likely give a shorter period than the group size of (P-1), whereas using a primitive root for g assures a maximal length sequence.
A primitive root g is such that, for all prime factors, p, of (P-1) one has g^((P-1)/p) mod P /= 1. That can be found by randomly probing, as in the Lucas-Lehmer test for prime assurance.
Of course, getting those prime factors of (P-1) might be a bit of a challenge for a 300-digit P. But by careful construction of the prime you can make it relatively easy. Just use a seed prime U of some fewer digits in length and start searching for some multiple k, where (2*k*U + 1) is prime. Then the prime factors of (P-1) become 2, those of k, and U itself. From there Lucas-Lehmer with random probing should find a suitable primitive root g within an average of 3 looks, and nearly always in less than 20 looks. —Preceding unsigned comment added by Dbmcclain ( talk • contribs) 16:01, 30 December 2009 (UTC)
... just my 2c —Preceding unsigned comment added by Dbmcclain ( talk • contribs) 15:54, 30 December 2009 (UTC)
Is this guaranteed for any prime g if G is known prime? —Preceding
unsigned comment added by
75.45.0.228 (
talk) 23:18, 8 August 2010 (UTC)
The article says, Alice picks a random natural number a and sends ga to Bob, with a link to natural number. Unfortunately, natural number starts out by saying there's two definitions (including or excluding zero). We should be more explicit which one we mean. -- RoySmith (talk) 20:52, 7 April 2010 (UTC)
I feel that the table used as an example might be incorrect. It shows (gb mod p)a mod p as being public, but isn't that the key? As you'll notice, that value is never sent in plaintext in the rest of the example. I believe this would be an appropriate change, but I don't want to make it without checking it with others.
|
|
|
146.186.210.55 ( talk) 01:57, 24 April 2010 (UTC)
This section states:
since a and b are secret and g is public, sending ga would lead to disclosure of a. I think this needs to say "ga mod p". Ufotds ( talk) 08:56, 5 July 2010 (UTC)
If Alice's public key was , would easily be computable by . Common sense and lecture of the article suggests the public key be . I changed it (since this is definitely more true than the version before), but I cannot verify that! 79.219.194.112 ( talk) 14:05, 3 November 2011 (UTC)
Wouldn't the reference on Hellman's paper be: Martin Hellman, An overview of Publick Key Cryptography, IEEE Communications Magazine, NOV 1978, p. 24--32 (based on retrieving this paper from the IEEE)? —Preceding unsigned comment added by 24.37.252.19 ( talk) 11:47, 18 September 2010 (UTC)
The two links to the US patent are broken. – 134.60.1.151 ( talk) 16:27, 25 November 2010 (UTC)
Why is their spammy-looking junk at the very bottom of the article? —Preceding unsigned comment added by 128.61.83.190 ( talk) 11:26, 28 March 2011 (UTC)
I just added this section. I didn't cite any references, as I had trouble actually finding any. Google searches lead to very little information; the only reference I could seem to find was that the Java implementation of Diffie-Hellman through javax.crypto.KeyAgreement
permits this by setting lastPhase
to false
; most Web pages talking about multi-party DH merely show examples of how to use the Java classes to do this. Examining the Bouncy Castle JCE provider's source code reveals that the math I show in the article is indeed how the algorithm is implemented, but using source code as an encyclopædic reference seems odd.
Hawk777 (
talk) 06:11, 7 June 2011 (UTC)
Through most of the article Alice and Bob are picking a prime p and base g. However, in the SECURITY section they choose G and g. Is G intended to refer to the same thing as p?
Thanks! Fitzhugh ( talk) 21:29, 16 February 2012 (UTC)
The problem is that it requires you to enter any random prime value you want for both p and g. The problem with that is while p is supposed to be a random prime, g is supposed to be SPECIFICALLY a number that falls into a category called "primitive root mod p". There is NO PRIMITIVE ROOT GENERATOR algorithm shown in this code. I guess the sample C code hopes you to have entered a "primitive root mod p" for the value of g, and runs with whatever you did enter. However the algorithm will ONLY work properly if g is in fact a "primitive root mod p". It will fail if g is ANYTHING other than that. Please fix this code. I'm trying to implement this my self and am not aware of a good "primitive root mod p" generator algorithm. Please include some sample code for this process so I can read it and then implement it in my own program I'm writing. Animedude5555 ( talk) 12:41, 26 August 2013 (UTC)
I think mod p is missing in steps 2 and 3 in section "Explanation including encryption mathematics": 2. Alice picks a random natural number a and sends g[super]a[/super] to Bob. 3. Bob picks a random natural number b and sends g[super]b[/super] to Alice. Otherwise, a and b could easily be calculated as and , respectively. I' am not quitte sure about this, however, so I didn't change in in the article.
Per /info/en/?search=Talk:Diffie%E2%80%93Hellman_key_exchange/Archive_1#key_exchange_-.3E_key_agreement.3F , this system is more a key-agreement protocol than an arbitrary-key-exchange protocol. I propose renaming this article to 'agreement' and leaving a redirect.
As well, the 2002 quote by Diffie cited on the page itself says that he (at least) calls it Diffie-Hellman-Merkle. I think that this would be a good thing to rename the article itself to as well. Instead of doing two steps (rename to Agreement, rename to Diffie-Hellman-Merkle), it might be easier done as one step.
Aerowolf ( talk) 18:50, 12 February 2014 (UTC)
Shouldn't
"even the fastest modern computers cannot find a given only g, p, g^b mod p and g^a mod p"
read
"even the fastest modern computers cannot find a given only g, p and g^a mod p" ?
Holding no information concerning a, g^b mod p isn't of any help for finding a - or is it? -- FePo2 ( talk) 11:25, 27 March 2015 (UTC)
This is the sentence that seems to suggest that Diffie-Hellman is not vulnerable to MITM:
The Diffie–Hellman key exchange method allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel.
Either the article shoud define "insecure communications channel" as a **signed** communication channel, which -- to me -- doesn't make much sense, or it should be removed/rephrased.
Moebius eye ( talk) 20:38, 6 June 2014 (UTC)
" Public-key cryptography, also known as asymmetric cryptography, is a class of cryptographic algorithms which requires two separate keys, one of which is secret (or private) and one of which is public."
I acknowledge that some people falsely classify it as such but it is missing two essential details. First, it is not crypto, as it does not involve encrypting data at all. It is an agreement protocol where two parties agree on a secret. Second, it does not use "two separate keys" where one is secret and one is public. I edited the page to clarify that and User;Quondom reverted. I edited the page again to note the fact that some people (at least User:Quondom if no one else) believe it is public-key crypto and this was promptly reverted by an anonymous user.
There are no citations for the belief that DH is public-key crypto and even my CN tags were removed. I am restoring just the CN tag since the fact that there is no citation for a claim in an article is not a matter of opinion. Note that there is a citation on that paragraph but it backs up my version of this page, not the reverted version.
Note that if this tag is removed, that will constitute a violation of WP:3RR. --- Vroo ( talk) 20:12, 4 April 2015 (UTC)
The Menezes, van Oorschot, Vanstone quote doesn't say the DH algorithm is public-key crypto but that the paper introduced public-key crypto (I'm not sure that's accurate given the earlier Merkle work, but that's a different issue). There's a difference between introducing the concept and making that concept practical. Consider: clearly, Merkle introduced the concept of secure key agreement over an insecure channel but the proposed algorithm was impractical. DH introduced a practical solution to key agreement.
The Public-key cryptography page says "The distinguishing technique used in public-key cryptography is the use of asymmetric key algorithms, where the key used to encrypt a message is not the same as the key used to decrypt it." This is the common interpretation. But then take a look at the illustration on that page regarding DH (this is much less informative than the paint illustration on the DH page). It describes DH as having public and private keys. The so-called keys (intermediate values) in the DH algorithm are not used to encrypt or decrypt messages. In fact, there is no way to use the DH algorithm to communicate information at all. The result of the algorithm is agreement on a shared secret but neither party has any way to influence the value of the secret in a way that would allow communication (otherwise, the algorithm would be fundamentally flawed). A dictionary definition of cryptography is "the process of writing or reading secret messages".
Yes, it is a cryptographic algorithm in the sense that it is used in cryptography bit it's not cryptography by itself. Similarly, a cryptographic random number generator is not cryptography but it is cryptographic.
P.S. Regarding "take a breath" it is frustrating to make a simple edit to a page and have it immediately reverted by you and then having my next change immediately reverted by an anonymous user. Frankly, I'm tired of editors protecting pages from anyone else editing them by reverting changes they disagree with. Your comments here seem that you are willing to edit this page to address this issue. I don't know if the anonymous user will concur. --- Vroo ( talk) 06:30, 5 April 2015 (UTC)
Quondum: I agree that cryptography is more than just encryption. But you seem to be confused on what the word public means in public-key crypto. Suppose Alice and Bob use DH to agree on a secret key. Then they proceed to use that secret key to encrypt their communication. They do this by XORing the key into the contents of their messages. Admittedly the XOR cipher isn't a very good one, but I choose it because no one would ever claim it is an instance of public-key encryption. Yet you claim this system constitutes public-key cryptography because each party has some secrets not known to the other. But in fact, the DH algorithm doesn't depend on a and b remaining private. It only requires that they be temporarily secret from the other party and that they be permanently secret from adversaries. Conversely, what you call public keys in DH must be shared with the other party and must not be shared with an adversary. If an adversary acquires both parties' public keys, then the game is over. In true PK crypto, the private keys must remain private and the public keys can be shared with anyone, even adversaries.
For comparison, consider the following algorithm for generating a new shared secret between two parties that already have a shared key (k1). We want to generate a new key that neither party can choose unilaterally yet is in no way dependent on our existing key. Here's the algorithm: Alice generates two secret values a1 and a2. She encrypts a1 using a2 as the key. Sending E_a1(k1, now, a2) to Bob. Likewise, Bob generates b1 and b2 and sends E_b1(k1, now, b2) to Alice. Once Alice receives this from Bob, she sends Bob back a1, and Bob likewise sends Alice b1. Each can decrypt, verify that the first part of the encrypted data is the old shared key, the time value is sufficiently recent that this is not a replay and derive a2 and b2 respectively. They then generate k2 = a2 XOR b2. Is this also public-key crypto? It relies on the fact that a1 and b1 are initially private (just as a and b in DH) but they must be exposed for the algorithm to work.
(Yes, I glossed over details here, like requirements on the encryption algorithm and size of k, a1, a2, b1, b2 that make it infeasible for Alice to generate a post-hoc a1 value in order to choose a particular value of a2 after decrypting b1. I'm sure you can fill in the blanks.) --- Vroo ( talk) 01:34, 16 April 2015 (UTC)
The equality:
(g^a mod p)^b mod p = (g^a)^b mod p)
was given on the page, but no justification was given. I've googled many places, but found no justification.
It was repeated here:
http://security.stackexchange.com/questions/45963/diffie-hellman-key-exchange-in-plain-english
but that also failed to provide justification.
The, maybe closest, to a justification was here:
http://math.stackexchange.com/questions/360248/does-ga-mod-pb-equiv-gab-mod-p-hold-true
but that just gave a hint on how to derive the equality, but not a strong enough hint for me.
Could someone please provide a link to a justification of provide a justification?
TIA.
Cppljevans ( talk) 18:32, 5 May 2015 (UTC)
Cppljevans | Hawk777 |
---|---|
g^a | A |
p | M |
b | 2 |
(g^a)^b |
No, I'd say the table looks wrong. Start with g = A. As Hawk777 indicates, multipication and taking the modulus commute. (A more formal approach might treat g as the set of all values that are equal to some given value plus a multiple of p, but let's stick to reducing values modulo p.) We need the identity (g ⋅ h) mod p = ((g mod p) ⋅ (h mod p)) mod p. If you write g and h as say g = g′ + m ⋅ p and h = h′ + n ⋅ p, you should be able to convince yourself of this pretty quickly (see Modular arithmetic). Using the normal property of (ga)b = ga⋅b, the required identity on the respective mod p values follows pretty directly. — Quondum 13:25, 9 May 2015 (UTC)
A new vulnerability, called Logjam, has been found allowing an attacker to downgrade an HTTPS connection (and possibly SSH and VPN) to 512 bit encryption. From there, the connection can be compromised further.
Links: ArsTechnica Article Research Paper — Preceding unsigned comment added by Sacredsocks ( talk • contribs) 22:53, 20 May 2015 (UTC)
logjam isn't just a vulnerability in export suites. it's the combination of a downgrade attack similar to FREAK with vulnerability in DH itself, and the small size of export DH parameters just makes the vulnerability easier to exploit. the vulnerability is still there even if larger parameters are used. hotaru2k3 ( talk) 06:16, 21 May 2015 (UTC)
The logjam paper also points out that the use of a few well known prime groups enables precomputation. SOme of these well known primes are even embedded in standards documents. The article should point out that all primes should be choosen at random (plus some restraints fo weak primes ?) to void such precomputation. 78.54.73.38 ( talk) 13:48, 21 May 2015 (UTC)
precomputation still works if servers use unique random primes. if a server uses the same prime for millions of connections, an attacker only has to expend the effort of breaking a single key to break all of them. the only way to maintain forward secrecy is to choose a new prime for every connection, and even ephemeral RSA is faster than that. hotaru2k3 ( talk) 15:08, 21 May 2015 (UTC)
Hello fellow Wikipedians,
I have just added archive links to one external link on
Diffie–Hellman key exchange. Please take a moment to review
my edit. If necessary, add {{
cbignore}}
after the link to keep me from modifying it. Alternatively, you can add {{
nobots|deny=InternetArchiveBot}}
to keep me off the page altogether. I made the following changes:
When you have finished reviewing my changes, please set the checked parameter below to true to let others know.
This message was posted before February 2018.
After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than
regular verification using the archive tool instructions below. Editors
have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the
RfC before doing mass systematic removals. This message is updated dynamically through the template {{
source check}}
(last update: 18 January 2022).
Cheers. — cyberbot II Talk to my owner:Online 22:17, 25 August 2015 (UTC)
Hello fellow Wikipedians,
I have just added archive links to 2 external links on
Diffie–Hellman key exchange. Please take a moment to review
my edit. If necessary, add {{
cbignore}}
after the link to keep me from modifying it. Alternatively, you can add {{
nobots|deny=InternetArchiveBot}}
to keep me off the page altogether. I made the following changes:
When you have finished reviewing my changes, please set the checked parameter below to true to let others know.
This message was posted before February 2018.
After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than
regular verification using the archive tool instructions below. Editors
have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the
RfC before doing mass systematic removals. This message is updated dynamically through the template {{
source check}}
(last update: 18 January 2022).
Cheers.— cyberbot II Talk to my owner:Online 08:42, 27 February 2016 (UTC)
Hello fellow Wikipedians,
As far as I know, what Clifford Cocks described in the '70 was a cryptosystem similar to RSA, not a DH key exchange. Am I right? — Preceding unsigned comment added by 87.220.154.159 ( talk) 06:07, 4 September 2016 (UTC)
Hello fellow Wikipedians,
I have just modified 2 external links on Diffie–Hellman key exchange. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:
When you have finished reviewing my changes, please set the checked parameter below to true or failed to let others know (documentation at {{
Sourcecheck}}
).
An editor has reviewed this edit and fixed any errors that were found.
Cheers.— InternetArchiveBot ( Report bug) 00:18, 13 December 2016 (UTC)
This uses the 2048 bit prime suggested in rfc3526 :
p =
FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74
020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F1437
4FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED
EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF05
98DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB
9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B
E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF695581718
3995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF
a =
(secretly chosen by A, should also be 2048 bit, but shorter here)
19283746AABBCCDDEEFF00112233445598765432
b =
(secretly chosen by B, should also be 2048 bit, but shorter here)
A91B25C68FE7A6D8998877661928332219345678
x = 2^a mod p =
(calculated and transmitted by A)
D9487989280A9B0FC49A58CB4DCC73340C6828967D90AFE352BF6E61670FC94BEC37
DB07F6DAE2233EFB9D597314CEE442C14C3E22483E84A8110C6E02FE7519A1A583CC
2EA9FC650B0C89D57EFA46DCB6934F0DB6DC3BADC43E41BC895D4498F813BAEFA97D
2D8B75B7D6C5C05930F2D7C599238060AD23C9E0DED20E843699A8F8F092C74816D9
1D37DB11CE78A9DD9BD8D352691708CD7E6E7E2B076D43A46E87C5F46C79A3BE0011
3BC47AD1569641FB92001D7F0A1FBFEC2FDD9A23F62786DE02A387A9FC781C682E42
866B4BC98239C7F5F3ABDD40AA30E68F0A44C91858F9C063BE7FEB76FAD6E2B9B384
97C0F135EE78C761C641BCEB34855BA5CAF2
y = 2^b mod p =
(calculated and transmitted by B)
C4EE2EF71F72CC5CF4FDE2CA0BE64D4FBD65552DD0D644615A064CC35E40E17A18D6
DF56F72DACF6424FFD8CAEA7B23DE82E3A7DD586668AFE51B0AD3E08DF85F899E6D3
B6B8AAEEDEB91FAFCDC5E104E10284E270B22B902304457031E754980E348F709549
4CC520D3A860BCA205884A64540BF6ED5C19ECF6A0AFB21A10911C423CB1C5D993B0
7FE85E84F086896D987A2D029A4E30B0E1FBAD8BDC4E4DAA560CE183E1AD0D0A3FB7
2CF1279D9175E8CEA4B0E0736DCAA5D8590C1071A9212F2CC54B0630843EF428F88B
29655E88CA8C3AF31C42B2E023C485A32D3C2352CC394A7425FD1994F93B78F353B3
0C07480F3DB6FCF756824A204F59C7E9E354
KeyA = y^a mod p = 2^(b*a) mod p
(calculated by A)
485FFE50D43480DD431DC03F26BC91055D4B1159DBD0AB760E1070661761E54E2B84
F62AD290DA2023319F580CB594AD013331B676C5BBC273C75703096C3B919CCB14B9
1F09F1E78356D592D3AD3DB124D650139BA58FE1C782E6A17BA877175054D3206A65
C09EC6AF3DE2605C419FE266FD7D6B1BBC0868FE8E93302DE7708B78488CB5674BD4
86FE36FBBC84FFC4F80F7BF4E8739B9DC9B7385DB05087876C3F8F0032A281ED3464
BF0154C782611FB68251BBD2AE6829F73B4F3CC53AFD8B82B3B4CC9955591D5F8151
84DDAF80E8B7F977E0CBD2E3FE175120F3199E32F3A02EA42B241D1DFCCFF61BB679
A25E0802C0FDE59E531545FF3B97DD5236CD
KeyB = x^b mod p = 2^(a*b) mod p
(calculated by B)
485FFE50D43480DD431DC03F26BC91055D4B1159DBD0AB760E1070661761E54E2B84
F62AD290DA2023319F580CB594AD013331B676C5BBC273C75703096C3B919CCB14B9
1F09F1E78356D592D3AD3DB124D650139BA58FE1C782E6A17BA877175054D3206A65
C09EC6AF3DE2605C419FE266FD7D6B1BBC0868FE8E93302DE7708B78488CB5674BD4
86FE36FBBC84FFC4F80F7BF4E8739B9DC9B7385DB05087876C3F8F0032A281ED3464
BF0154C782611FB68251BBD2AE6829F73B4F3CC53AFD8B82B3B4CC9955591D5F8151
84DDAF80E8B7F977E0CBD2E3FE175120F3199E32F3A02EA42B241D1DFCCFF61BB679
A25E0802C0FDE59E531545FF3B97DD5236CD
Maybe someone wants to reformat this and include it in the main page. 18:00, 18 February 2016 (UTC) — Preceding unsigned comment added by 194.25.174.98 ( talk)
This is brilliant. Many thanks to the person who contributed this. There are many explanations on how Diffie–Hellman works but when it comes to actually implementing something, it is unclear what p, g and q are and where they come from. This examples clarifies that and should be included on the main page. 203.118.131.249 ( talk) 04:11, 5 July 2017 (UTC)
Hello fellow Wikipedians,
I have just modified 2 external links on Diffie–Hellman key exchange. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:
When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.
This message was posted before February 2018.
After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than
regular verification using the archive tool instructions below. Editors
have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the
RfC before doing mass systematic removals. This message is updated dynamically through the template {{
source check}}
(last update: 18 January 2022).
Cheers.— InternetArchiveBot ( Report bug) 14:11, 10 September 2017 (UTC)
The former section uses a=3 and b=4 while the latter one is using a=6 and b=15 as private numbers. I could not guess any reason for that. Do you agree that it is better to change the latter to use the same private numbers (a=3 and b=4)? Alfa80 ( talk) 16:09, 5 November 2017 (UTC)
Needs a section for cryptographic explanation of Elliptic-curve Diffie–Hellman and difference between ECDH and DH. 117.195.57.218 ( talk) 08:24, 19 November 2017 (UTC)
Bob should mix yellow with blue, getting green. Now, he is mixing yellow with green-blue, getting light-blue, which is absurd. This issue concerns both the text and the illustration. Thank you for your attention. MCiura ( talk) 17:14, 10 May 2018 (UTC)
As some more explained here https://productforums.google.com/forum/#!msg/webmasters/oPsAZ5Dc2hg/sa7I8YCOvxwJ citing this page gives some issues as when copying the url and pasting it, depending where one were working on (e.g. an editor or notepad app) it performs the following url link " /info/en/?search=Diffie%E2%80%93Hellman_key_exchange" (note the "%E2%80%93" extra for coding the "en dash" (U+2013, –, e2 80 93, EN DASH). Perhaps it helped to change the name including a more standard joining sign in the page name. — Preceding unsigned comment added by 86.30.159.160 ( talk) 12:42, 7 January 2018 (UTC)