There seems to be a lot of hype about asymmetric Public Key encryption. RSA, PGP... etc. You have a set of two keys and distribute one, so that either only you can encrypt the message or only you can decrypt the message. One method provides a way to verify the sender, while the other provides a way to secure the message. (Feel free to correct me if I am wrong.)

Now, I have also been reading about the Diffie-Hellman class of Key-Exchanges. This seems to be more secure as you can verify the sender and secure the message with the keys as each 'conversation' requires a computed 'shared key'.

So, my question is, are there any major disadvantages (besides the setup requirements) to using Diffie-Hellman over a more standard form of public key encryption?

Or, to put it more bluntly. If Diffie-Hellman makes more sense, why isn't it the standard form of encryption?

+2  A: 

The symmetrical encryption is by orders of magnitude faster / less computationally intensive than PKI. Also, there are differences in key size. As the encryption / decryption must happen not only on server side where CPU power and RAM is no problem, on client side you may have mobile device that is much more limited.

Miro A.

I might be wrong, but the algorithm described at wikipedia looks to me like a pulic key encryption.

Both parties choose a secret (private key) and share another key, which is related to the private key (this is the public key).

Just in order to provide a somewhat complete picture: In real world algorithm Public Key encryption is used to exchange a secret, which then is used to encrypt the main communication with a symmetric algorithm, which is much faster the PK encryption

Jens Schauder
+5  A: 

Diffie-Hellman key agreement provides a way of establishing a common secret key which is virtually impossible to determine by passive adversaries, i.e. people who only listen to the communications.

However, basic D-H is vulnerable to man-in-the-middle attacks. In other words, you can establish a shared secret key, but in the presence of active adversaries you don't know with whom you share the key.

That's where the public key cryptography has its place. When you have a genuine public key of someone, you can be sure that the encrypted data can be read only by that person.

Making sure that a given public key really belongs to someone is a separate issue and is solved e.g. by Public Key Infrastructure.


The main problem that you have to be aware of with the Diffie-Hellman method of communication is that it is vulnerable to the Man-in-the-Middle attack.

This is not possible with RSA, because only the person who created the public key can decrypt the message, thus you can say with complete confidence that the right person is reading the message.

Diffie Hellman is very useful for secure two way communication with someone, so long as you are not too concerned with who that someone is.

RSA is also vulnerable to MITM. If you do not know the person you are communicating with (eg. his public key) you have no way to verify that you are talking to the right person. The attacker can just send his public key and pretend to be the person you're wanting to talk to.
Very true. Perhaps a better way to say it is that RSA guarantees that the only person who can read the message is the person who created the public key.

The main problem with RSA is that it is slow. In fact, what early versions of PGP did (I'm not sure what modern versions do, possibly it has not changed) was use Diffie-Hellman key exchange to distribute the key to some fast symmetric cipher, and then just use that for the main body of the message.

+3  A: 

Symmetric and asymmetric ciphers are two completely different things. You cannot directly compare them.

Symmetric ciphers are used to encrypt a message with a shared secret. These are algorithms such as DES, AES, blowfish, etc.

Asymmetric ciphers deal with an other issue, namely key-sharing and signatures. By being able to have a public key, it is possible to distribute that key through a channel that cannot be modified. Others can read the key; as long as they cannot alter it there is no problem.

If others can alter the messages (this is usually the case anywhere) then it becomes more complicated. Then you need to use digital signatures. There is basically a central authority who signs public keys (certificates are also public keys). Everybody has the public keys of the certificate authority pre-installed (usually bundled with the OS) and therefore can verify that certificates are authentic by checking the signature using the authority's public key. This is referred to as a PKI (public key infrastructure) and it is used all over the place. Most prominent example is SSL.

Read up on it.

You get the answer simply because of descriptiveness. But, I awarded an up-vote to Krystian for an equally valid answer. Sigh. Getting two great answers always makes it hard to decide.
+1  A: 

As Krystian says, Diffie-Hellman lets you establish a secure connection, but doesn't let you verify who that secure connection is with.

However, DH can be used in combination with a public key algorithm like RSA. This allows you to verify the other party's identity (using an RSA signature), and the Diffie-Hellman key exchange brings to the party a property called perfect forward secrecy. This means that if you and I talk today, and next year somebody steals your RSA private key, they still can't go back and decrypt today's conversation. A plain RSA key exchange doesn't have this property.