Allied Telesis AT-S63 User Manual

Chapter 26: Encryption Keys

558

Section IV: Security

The Diffie-Hellman algorithm, which is used by the AT-S63 management
software, is one of the more commonly used key exchange algorithms. It
is not an encryption algorithm because messages cannot be encrypted
using Diffie-Hellman. Instead, it provides a method for two parties to
generate the same shared secret with the knowledge that no other party
can generate that same value. It uses public key cryptography and is
commonly known as the first public key algorithm. Its security is based
on the difficulty of solving the discrete logarithm problem, which can be
compared to the difficulty of factoring very large integers.

A Diffie-Hellman algorithm requires more processing overhead than
RSA-based key exchange schemes, but it does not need the initial
exchange of public keys. Instead, it uses published and well tested
public key values. The security of the Diffie-Hellman algorithm depends
on these values. Public key values less than 768 bits in length are
considered to be insecure.

A Diffie-Hellman exchange starts with both parties generating a large
random number. These values are kept secret, while the result of a
public key operation on the random number is transmitted to the other
party. A second public key operation, this time using the random
number and the exchanged value, results in the shared secret. As long as
no other party knows either of the random values, the secret is safe.