When I read descriptions about how DH key exchange works, there's no mention of how the key-exchangers came to an agreement on which "group" (the p
and g
parameters) should be used to compute the public and private values. Looking at RFC 5114, it seems like there are quite a few choices.
I'd like to know if this negotiation is typically done during the exchange itself, and if not, if there's a description somewhere regarding how the algorithm would be different if it included that step.
Thanks for reading.
The p and g values are safe to pass unencrypted. If client/server is on a network, either the client or server generates the p/g values and passes them via network sockets. As long as the secret number for each client/server is kept a secret (duh..) the Diffie-Hellman exchange can said to be safe as a attacker would have to compute g^(ab) mod p = g^(ba) mod p (which leads to a infinite amount of solutions that is infeasible to compute given that the p value is big enough).
Essentially the most basic D-H exchange goes as follows:
Party A generates p, g, a values. Where g is the base/generator, p is the prime modulo, a is the secret power.
Party B (concurrently) generates secret value b.
Party A computes g^a mod p (we call this value thereafter A)
Party A and sends p, g and A across the transmission medium.
Party B receives p, g, A.
Party B computes g^b mod p (we call this value thereafter B).
Party B sends B across the transmission medium.
Party A receives B.
Party A computes B^a mod p and obtains the shared secret.
Party B (concurrently) computes A^b mod p and obtains the shared secret.
Note: if the p value is too small, it may be computational cheaper to just iterate through 0 to p - 1 but this all depends on what you do after you generate the common secret.