Public Keys

Chapter 3
Public-Key Crypto & Key Exchange
RSA key transport vs Diffie–Hellman, and the idea of forward secrecy

Chapter 2 established the hybrid model: use asymmetric crypto to agree on a shared symmetric key, then switch to fast symmetric encryption. This chapter answers the obvious follow-up — how exactly do the two parties agree on that key over a network an attacker is watching? There are two historical approaches, and the difference between them turns out to matter enormously for security.

Approach 1: RSA Key Transport (the old way)

The original TLS method used RSA key transport. The logic is simple:

  1. The server has an RSA key pair; its public key is in its certificate (Chapter 4).
  2. The client invents a random secret (the "pre-master secret"), encrypts it with the server's public key, and sends it.
  3. Only the server's private key can decrypt it, so now both sides share that secret — from which the symmetric key is derived.

It works and it's easy to picture: the client effectively puts the secret in a box only the server can open. But it has a serious, subtle weakness that took the industry years to fully act on.

RSA key transport has no forward secrecy
With this method, every session's secret is protected by the same long-lived server private key. Imagine an attacker records years of encrypted traffic today, then later steals (or legally compels) the server's private key. They can now go back and decrypt all of that recorded traffic — every past session — because each one's pre-master secret was encrypted to that one key. One key compromise retroactively unlocks the entire archive. This "harvest now, decrypt later" exposure is why RSA key transport was removed entirely in TLS 1.3.

Approach 2: Diffie–Hellman Key Exchange (the modern way)

Diffie–Hellman (DH) solves the problem differently — and almost magically. It lets two parties derive a shared secret by exchanging only public values, such that an eavesdropper who sees everything sent still cannot compute the secret. The classic intuition is mixing paint:

# Paint-mixing analogy for Diffie-Hellman 1. Both agree publicly on a common base colour (yellow) 2. Each secretly picks a private colour (client: red, server: blue) 3. Each mixes base + their secret, sends the mix (client sends orange, server sends green) # an eavesdropper sees yellow, orange, green 4. Each adds their OWN secret to the other's mix: client: green + red = brown server: orange + blue = brown # same shared secret! # the eavesdropper cannot make brown: "un-mixing" a colour is infeasible

The shared secret (brown) is never transmitted — each side computes it locally by combining their own private value with the other's public value. The "un-mixing is hard" property is, in real DH, the difficulty of certain mathematical problems (discrete logarithms). Critically, the secret was never put in a box tied to a long-lived key — it emerged from values that can be thrown away after the session.

Ephemeral Diffie–Hellman = Forward Secrecy

The security payoff comes when the DH private values are ephemeral — freshly generated for each session and discarded immediately afterward. This is signalled by an E in cipher names: DHE (ephemeral DH) and ECDHE (the elliptic-curve, faster variant used almost universally today).

What "forward secrecy" actually buys you
With ephemeral DH, each session's key is derived from one-time values that are deleted when the session ends. So even if the server's long-term private key is stolen later, there's nothing left to decrypt past sessions with — the ephemeral secrets are long gone, and the long-term key was never what protected the session data in the first place (it was only used to sign, not to encrypt the secret). The archive of recorded traffic stays safe. This property is called Forward Secrecy (or Perfect Forward Secrecy, PFS), and it's the headline reason TLS moved to ephemeral DH.

But Wait — Where Does Authentication Fit?

Plain Diffie–Hellman has a gap: it establishes a shared secret with somebody, but it doesn't prove who. An active man-in-the-middle could run separate DH exchanges with each side and sit in the middle. DH alone gives confidentiality, not authentication — exactly the Chapter 1 warning that encryption without authentication is a private chat with a possible impostor.

TLS closes the gap by combining DH with a signature: the server signs its DH public value with the long-term private key from its certificate. So the two asymmetric tools play distinct roles, and it's worth keeping them separate in your mind:

Asymmetric roleToolProvidesKey used
Key agreement(EC)DHEa shared secret + forward secrecyephemeral, per-session, discarded
Authenticationsignature (RSA or ECDSA)proof of server identitylong-term key from the certificate

This is a key clarification: in modern TLS the certificate's long-term key is used to sign (authenticate), not to encrypt the session secret. The session secret comes from ephemeral DH. That separation is precisely what delivers both authentication and forward secrecy at once — the old RSA-transport method conflated the two into one key and lost forward secrecy as a result.

RSA Transport vs Ephemeral DH — Side by Side

RSA key transport (legacy)Ephemeral DH — (EC)DHE (modern)
How secret is sharedclient encrypts it to server's public keyboth derive it from exchanged public values
Long-term key's jobdecrypts the session secretonly signs (authenticates)
Forward secrecyNo — key theft decrypts all past trafficYes — past sessions stay safe
Statusremoved in TLS 1.3the only option in TLS 1.3

The progression is the whole point of this chapter: TLS 1.2 supported both, and TLS 1.3 (Chapter 7) dropped RSA key transport altogether, making forward secrecy mandatory. Every modern HTTPS connection you make uses ephemeral elliptic-curve Diffie–Hellman (ECDHE) for key agreement, authenticated by a certificate signature. The next chapter examines that certificate itself.

Hands-On Exercises

Exercise 1

Connect to a real site with openssl s_client -connect example.com:443 and find the line reporting the negotiated key exchange / cipher (look for "Server Temp Key" and the cipher name). Identify whether ECDHE is in use, and explain what the "E" guarantees.

📄 View solution
Exercise 2

Walk through the paint-mixing analogy with actual small numbers using the real DH formula (pick a small prime p and base g, choose two private exponents, compute the public values and the shared secret both ways). Confirm both sides reach the same secret, and state what an eavesdropper would and wouldn't know.

📄 View solution
Exercise 3

Explain the "harvest now, decrypt later" attack in one paragraph, then state precisely why RSA key transport is vulnerable to it but ephemeral ECDHE is not. Be specific about which key is stolen and what it can (or can't) unlock in each case.

📄 View solution

Chapter 3 Quick Reference

  • Key exchange = how two parties agree on the shared symmetric key over a watched network
  • RSA key transport (legacy) — client encrypts the secret to the server's public key; simple but NO forward secrecy
  • Diffie–Hellman — both derive a shared secret from exchanged PUBLIC values; the secret is never transmitted
  • Ephemeral DH (DHE / ECDHE) — fresh per-session values, discarded after = forward secrecy
  • Forward secrecy — stealing the long-term key later can't decrypt past recorded sessions
  • Plain DH gives confidentiality but not authentication — TLS signs the DH value with the certificate key
  • Modern split: (EC)DHE agrees the key (ephemeral), the certificate key only signs/authenticates
  • TLS 1.3 removed RSA key transport — ECDHE forward secrecy is now mandatory
  • Next chapter: certificates & the X.509 format — what proves the server's identity