Key Exchange
The process by which two parties establish a shared cryptographic key over a communication channel, enabling secure encrypted communication without having previously shared a secret.
Key Exchange Problem
The fundamental chicken-and-egg challenge: to communicate securely you need a shared key, but to share the key securely you need to already be communicating securely. Modern cryptography solves this without physical couriers.
Out-of-Band Key Exchange
Exchanging a cryptographic key through a separate channel from the network being secured β for example, by telephone, physical courier, or in-person meeting. Highly secure but impractical at internet scale.
In-Band Key Exchange
Exchanging a cryptographic key over the same network channel being secured. Uses asymmetric encryption to protect the transmission of a symmetric session key so it cannot be read by eavesdroppers.
Session Key
A temporary symmetric encryption key used for a single communication session. Session keys are generated fresh for each session, used during that session, and discarded when the session ends β limiting the damage if any single key is compromised.
Ephemeral Key
A cryptographic key that is generated for one-time use and discarded after a session. "Ephemeral" means temporary. Ephemeral keys are a core component of forward secrecy β they ensure that compromising today's keys cannot decrypt past sessions.
Forward Secrecy
The property that compromise of a long-term key does not compromise past session keys. Achieved through ephemeral session keys β even if an attacker later steals the server's private key, previously recorded encrypted sessions remain undecryptable. Also called Perfect Forward Secrecy (PFS).
Diffie-Hellman (DH)
A key exchange algorithm that allows two parties to independently compute the same shared secret over an insecure channel without transmitting that secret. Both parties combine their own private value with the other's public value through a one-way mathematical function to arrive at an identical result.
Key Exchange Algorithm
A mathematical process used specifically to establish a shared key between two parties β not to encrypt or sign data. Diffie-Hellman is the foundational example. The output is a symmetric key that can then be used for bulk encryption.
TLS Handshake
The negotiation process at the start of a TLS (HTTPS) connection where the client and server agree on a symmetric session key. Involves exchanging certificates, verifying identity, and establishing a shared secret using asymmetric cryptography or Diffie-Hellman.
Pre-Shared Key (PSK)
A symmetric key that is exchanged through an out-of-band mechanism before communication begins. Both parties know the key in advance. Common in WPA2 Wi-Fi (the Wi-Fi password) and some VPN configurations. Simpler than PKI but requires secure prior distribution.
Symmetric Session Key
The shared symmetric key established during a key exchange, used to encrypt the actual data of a session. Typically AES-128 or AES-256. Chosen for bulk encryption because symmetric algorithms are far faster than asymmetric ones.
Ephemeral Diffie-Hellman (DHE)
A variant of Diffie-Hellman where a new DH key pair is generated for each session. Provides forward secrecy: even if the server's long-term private key is later compromised, past sessions encrypted with ephemeral DH keys cannot be decrypted.
ECDHE (Elliptic Curve DHE)
Ephemeral Diffie-Hellman using elliptic curve mathematics. Provides the same forward secrecy as DHE but with smaller key sizes and better performance. The preferred key exchange mechanism in modern TLS 1.3 connections.
Insecure Channel
A communication path where an eavesdropper may be listening to all traffic β such as the public internet or a shared Wi-Fi network. The fundamental challenge of key exchange is establishing a shared secret over an insecure channel without exposing that secret.
Man-in-the-Middle (Key Exchange)
An attack during key exchange where an attacker intercepts communication and substitutes their own keys for both parties' keys β allowing them to decrypt, read, and re-encrypt traffic. Prevented by certificate authentication during TLS, which verifies you are talking to the genuine server.