# Ephemeral Diffie-Hellman with RSA (DHE-RSA)

--

Cryptography is going to the top of the agenda within many areas of our lives, and it is being targeted by the EU within GDPR, and by some politicians in cracking the keys involved.

One way for Bob and Alice to create a shared encryption key is for Alice to pass her public key to Bob, and then for Bob to generate the key and encrypt it with Alice’s public key. Bob then passes this back and Alice decrypts it with her private key. They will then have the same key to use with symmetric key encryption (such as with AES).

But what happens if Alice leaks her private key, the Eve will be able to crack all the keys that were generated? So, these days, we increasingly use a key exchange method to generate the secret shared key. One of the most popular methods in the past is the wonderful Diffie-Hellman (DH) method:

The problem with DH is that if Bob and Alice generate the same values, they will always end up with the same secret key. Along with this, Eve can sit in the middle of the communications and exchange different keys with Bob and Alice — the Man-in-the-Middle attack.

With Ephemeral Diffie-Hellman (DHE) a different key is used for each connection, and a leakage of the private key would still mean that all of the communications were secure. Within DHE-RSA, the server signs the Diffie-Hellman parameter (using a private key from an RSA key pair) to create a pre-master secret, and where a master is created which is then used to generate a shared symmetric encryption key.

Normally when we create a shared key we created a tunneled connected between a client and a server. This is normally defined through an SSL (Secure Socket Layer) or TLS (Transport Layer Security), and where a client connects to a server. Normally we define the tunnel type (such as TLS or SSL), the key exchange method (such as DHE-RSA), a symmetric key method to be used for the encryption process (such as 256-bit AES with CBC) and a hashing method (such as SHA). This can be defined as a string as: