Home Page

VPN & Cryptography


Email & Spam

Security Terminology


VPN Terminology

VPN Tutorial Guide



Aggressive Mode

Authentication Header

Asymmetric Encryption


Certification Authority

Data Integrity



Digital Certificate

Dynamic IP addresses





IPSec Quick Mode


Main Mode







Pre-Shared Key

Remote Access User


Security Association


Site to Site VPN


Transform Sets

Tunnel mode and Transport mode

VPN client tunneling option

VPN Topologies

VPN Tunnel


Diffie-Hellman Encryption Tutorial - Public key Cryptography




Diffie-Hellman is an asymmetric key algorithm used for public key cryptography. As well as being used with IPsec, it is also used for SSL, SSH, PGP and other PKI systems.

The Diffie-Hellman algorithm was created to address the issue of secure encrypted keys from being compromised over the internet when in transmission, and the use of Diffie-Hellman algorithm allows two VPN gateway devices that have no prior knowledge of each other, to setup a shared secret key.

The process works by two peers generating a private and a public key. Peer A would send its public key to peer B and peer B would send its public key to peer A. Peer A would then use the public key sent from peer B and its own private key to generate a symmetric key using the Diffie-Hellman algorithm. Peer B would also take the same process as peer A and in turn produce the exact same symmetric key as peer A, though enabling them to communicate securely over the in-secure internet. Both peers can now encrypt, transmit and decrypt data using their symmetric keys.

However some concerns were found later within the Diffie-Hellman algorithm such as Man-in-the-middle attacks as there is no authentication in place before keys are exchanged. How would peer B know that it is about to exchange keys with peer A? It could easily be a hacker spoofing peer A’s identity. This led to the more advanced public key cryptography in RSA. However using authentication methods such as pre-shared keys and digital certificates to authenticate VPN gateway devices has overcome this issue. Using Diffie-Hellman alongside authentication algorithms is a secure and approved solution.

Diffie-Hellman public key cryptography is used by all major VPN gateway's today, supporting Diffie-Hellman groups 1,2, 5, 14 as well as others. DH group 1 consists of a 768 bit key, group 2 consists of 1024 bit key, group 5 is 1536 bit key length and group 14 is 2048 bit key length. Group 14 is the strongest and most secure of the ones just mentioned, but there are other key lengths as well. The higher the Diffie-Hellman algorithm used, the more secure it will be, but it will be more CPU intensive, whereas the lower the algorithm, it will be the opposite, less secure and less CPU time required to compute the algorithm.

Diffie-Hellman is based on calculating discrete logarithms in a finite field. Diffie-Hellman only computes the key exchange and does not provide data encryption, digital signatures or any authentication.

As well as Diffie-Hellman, some other asymmetric encryption algorithms are RSA, ECC, El Gamal, DSA, LUC and Knapsack.

Further Reading

Wikipedia's guide to Diffie-Hellman Key Exchange