Public Key Cryptography with Diffie-Hellman

Diffie-Hellman is used for key agreement. In simple terms, key agreement is the exchange of information over an insecure medium that allows each of the two parties in a conversation to compute a value that is typically used as the key for a symmetric cipher. By itself, Diffie-Hellman cannot be used for encryption or authentication; it only provides secrecy. Because the exchange of
information takes place over an insecure medium, it should never be used by itself. Some means of authenticating the parties in the conversation should also be used.

Diffie-Hellman works by first creating a set of parameters that are agreed upon by both parties in the conversation. The parameters, consisting of a randomly chosen prime number and a generator value that is typically specified as either 2 or 5, are public and can be either agreed upon before the conversation begins or exchanged as part of the conversation. Using the agreed-upon parameters, each party computes a public and private key. As its name implies, the private key is never shared with anyone. The parties exchange their public keys, and then each party can
compute the shared secret using their private key and the peer's public key.

The command-line tool provides a command for generating Diffie-Hellman parameters, but the only method for generating keys is deprecated, and should not be used. OpenSSL 0.9.5 added the dhparam command, and in doing so, deprecated the two commands dh and gendh, which were capable of generating Diffie-Hellman parameters and keys, respectively. As of this writing, the two deprecated commands are still accessible in OpenSSL 0.9.7, but because they're deprecated, we'll pretend that they do not exist, because they're likely to be completely removed from the next
release of OpenSSL. Unfortunately, the new dhparam command does not support the generation of Diffie-Hellman keys, but it is likely that future versions will add support for it.


The following examples illustrate the use of the Diffie-Hellman commands:

[root@host]# openssl dhparam -out dhparam.pem -2 1024 

Generates a new set of Diffie-Hellman parameters using a generator of 2 and a random
1,024-bit prime, and writes the parameters in PEM format to the file dhparam.pem.

[root@host]# openssl dhparam -in dhparam.pem -noout -C 

Reads a set of Diffie-Hellman parameters from the file dhparam.pem and writes a C code representation of the parameters to stdout.