Chapter 13 Β· Concepts

Key Exchange β€” Core Concepts

Visual maps and comparison tables for every key exchange concept on the exam.

The Two Methods of Key Exchange

MethodHow It WorksSecurityPracticalityUse Case
Out-of-BandKey delivered through a separate channel (phone, courier, in-person meeting)Excellent β€” key never crosses the networkPoor β€” cannot scale to millions of connectionsGovernment/military classified key material, WPA2 PSK setup
In-BandKey exchange happens ON the network; asymmetric encryption protects the symmetric keyGood β€” eavesdroppers see only the encrypted keyExcellent β€” fully automated, scales to billions of TLS connectionsHTTPS, TLS, most modern encrypted protocols

In-Band Key Exchange: Step by Step

1
Server sends public key
The server's public key is embedded in its TLS certificate, which is sent to the client during the handshake. Anyone can see this β€” it's public.
↓
2
Client generates session key
The client generates a random symmetric session key (e.g., a 256-bit AES key). This is generated locally and never sent in plaintext.
↓
3
Client encrypts session key
The client encrypts the session key using the server's public key. Only the server β€” holding its private key β€” can decrypt this.
↓
4
Client sends encrypted session key
The encrypted session key travels across the network. Eavesdroppers see it but cannot decrypt it without the server's private key.
↓
5
Server decrypts session key
The server uses its private key to decrypt the session key. Now both client and server have the same symmetric key β€” without it ever being transmitted in plaintext.
↓
6
Symmetric encryption begins
All subsequent traffic is encrypted with the fast symmetric session key (AES). Asymmetric encryption is no longer needed for this session.

Diffie-Hellman Key Exchange

The Core Idea: Both parties independently compute the SAME shared secret without either side transmitting that secret. The math ensures that even an eavesdropper who sees all messages cannot derive the shared secret.

What gets sent publicly

  • Alice's public DH value (derived from her private value)
  • Bob's public DH value (derived from his private value)
  • The agreed mathematical parameters (prime, generator)

An eavesdropper sees all of this β€” it's sent in the clear.

What never leaves each party

  • Alice's private DH value
  • Bob's private DH value
  • The resulting shared secret

Neither private value nor the final shared secret is ever transmitted.

The math (conceptually)

Alice computes: Bob's public value + Alice's private value β†’ Shared Secret

Bob computes: Alice's public value + Bob's private value β†’ Same Shared Secret

The mathematical function is designed so both operations produce identical results.

Why eavesdroppers cannot compute it

Deriving the private value from the public value requires solving the discrete logarithm problem β€” computationally infeasible with properly sized parameters.

The eavesdropper has the public values but cannot work backwards to the private values or the shared secret.

Session Keys vs. Long-Term Keys

PropertySession KeyLong-Term Key (e.g., Server Private Key)
LifetimeOne session (minutes to hours)Months to years
GenerationGenerated fresh for every connectionGenerated once, stored securely
PurposeEncrypt the actual data of this sessionIdentity, authentication, key exchange
If compromisedOnly this one session's data exposedCould expose all sessions (without forward secrecy)
AlgorithmSymmetric (AES) β€” fast for bulk dataAsymmetric (RSA/ECC) β€” used for key exchange only

Forward Secrecy Explained

Without Forward Secrecy

An attacker records encrypted traffic today. Years later, they obtain the server's private key (breach, court order, cryptanalysis). They can go back and decrypt all the previously recorded sessions.

Risk: Past traffic is exposed retroactively.

With Forward Secrecy (Ephemeral Keys)

Each session uses a freshly generated ephemeral key pair. The session key is derived from ephemeral values, not the long-term private key. When the session ends, the ephemeral keys are deleted.

Result: Even if the server's long-term private key is later stolen, previously recorded sessions cannot be decrypted β€” those ephemeral keys no longer exist.

How to achieve it

Use DHE (Diffie-Hellman Ephemeral) or ECDHE (Elliptic Curve DHE) in TLS. TLS 1.3 mandates forward secrecy β€” all supported cipher suites use ECDHE.

Exam tip

Forward secrecy = "compromise of long-term key does not compromise past sessions." The key word is past. Ephemeral keys make each session independent.

DH Variants: Static vs. Ephemeral

VariantKey GenerationForward SecrecyPerformanceModern Usage
DH (Static)Fixed key pair reused across sessionsNo β€” same keys used every timeFast (no key gen per session)Deprecated in TLS 1.3
DHENew key pair generated each sessionYesSlower (key gen per session)Supported but ECDHE preferred
ECDHENew elliptic curve key pair each sessionYesFast (smaller keys, efficient math)Default in TLS 1.3