Public Keys
Chapter 2 established the hybrid model: use asymmetric crypto to agree on a shared symmetric key, then switch to fast symmetric encryption. This chapter answers the obvious follow-up — how exactly do the two parties agree on that key over a network an attacker is watching? There are two historical approaches, and the difference between them turns out to matter enormously for security.
Approach 1: RSA Key Transport (the old way)
The original TLS method used RSA key transport. The logic is simple:
- The server has an RSA key pair; its public key is in its certificate (Chapter 4).
- The client invents a random secret (the "pre-master secret"), encrypts it with the server's public key, and sends it.
- Only the server's private key can decrypt it, so now both sides share that secret — from which the symmetric key is derived.
It works and it's easy to picture: the client effectively puts the secret in a box only the server can open. But it has a serious, subtle weakness that took the industry years to fully act on.
Approach 2: Diffie–Hellman Key Exchange (the modern way)
Diffie–Hellman (DH) solves the problem differently — and almost magically. It lets two parties derive a shared secret by exchanging only public values, such that an eavesdropper who sees everything sent still cannot compute the secret. The classic intuition is mixing paint:
The shared secret (brown) is never transmitted — each side computes it locally by combining their own private value with the other's public value. The "un-mixing is hard" property is, in real DH, the difficulty of certain mathematical problems (discrete logarithms). Critically, the secret was never put in a box tied to a long-lived key — it emerged from values that can be thrown away after the session.
Ephemeral Diffie–Hellman = Forward Secrecy
The security payoff comes when the DH private values are ephemeral — freshly generated for each session and discarded immediately afterward. This is signalled by an E in cipher names: DHE (ephemeral DH) and ECDHE (the elliptic-curve, faster variant used almost universally today).
But Wait — Where Does Authentication Fit?
Plain Diffie–Hellman has a gap: it establishes a shared secret with somebody, but it doesn't prove who. An active man-in-the-middle could run separate DH exchanges with each side and sit in the middle. DH alone gives confidentiality, not authentication — exactly the Chapter 1 warning that encryption without authentication is a private chat with a possible impostor.
TLS closes the gap by combining DH with a signature: the server signs its DH public value with the long-term private key from its certificate. So the two asymmetric tools play distinct roles, and it's worth keeping them separate in your mind:
| Asymmetric role | Tool | Provides | Key used |
|---|---|---|---|
| Key agreement | (EC)DHE | a shared secret + forward secrecy | ephemeral, per-session, discarded |
| Authentication | signature (RSA or ECDSA) | proof of server identity | long-term key from the certificate |
This is a key clarification: in modern TLS the certificate's long-term key is used to sign (authenticate), not to encrypt the session secret. The session secret comes from ephemeral DH. That separation is precisely what delivers both authentication and forward secrecy at once — the old RSA-transport method conflated the two into one key and lost forward secrecy as a result.
RSA Transport vs Ephemeral DH — Side by Side
| RSA key transport (legacy) | Ephemeral DH — (EC)DHE (modern) | |
|---|---|---|
| How secret is shared | client encrypts it to server's public key | both derive it from exchanged public values |
| Long-term key's job | decrypts the session secret | only signs (authenticates) |
| Forward secrecy | No — key theft decrypts all past traffic | Yes — past sessions stay safe |
| Status | removed in TLS 1.3 | the only option in TLS 1.3 |
The progression is the whole point of this chapter: TLS 1.2 supported both, and TLS 1.3 (Chapter 7) dropped RSA key transport altogether, making forward secrecy mandatory. Every modern HTTPS connection you make uses ephemeral elliptic-curve Diffie–Hellman (ECDHE) for key agreement, authenticated by a certificate signature. The next chapter examines that certificate itself.
Hands-On Exercises
Connect to a real site with openssl s_client -connect example.com:443 and find the line reporting the negotiated key exchange / cipher (look for "Server Temp Key" and the cipher name). Identify whether ECDHE is in use, and explain what the "E" guarantees.
Walk through the paint-mixing analogy with actual small numbers using the real DH formula (pick a small prime p and base g, choose two private exponents, compute the public values and the shared secret both ways). Confirm both sides reach the same secret, and state what an eavesdropper would and wouldn't know.
📄 View solutionExplain the "harvest now, decrypt later" attack in one paragraph, then state precisely why RSA key transport is vulnerable to it but ephemeral ECDHE is not. Be specific about which key is stolen and what it can (or can't) unlock in each case.
📄 View solutionChapter 3 Quick Reference
- Key exchange = how two parties agree on the shared symmetric key over a watched network
- RSA key transport (legacy) — client encrypts the secret to the server's public key; simple but NO forward secrecy
- Diffie–Hellman — both derive a shared secret from exchanged PUBLIC values; the secret is never transmitted
- Ephemeral DH (DHE / ECDHE) — fresh per-session values, discarded after = forward secrecy
- Forward secrecy — stealing the long-term key later can't decrypt past recorded sessions
- Plain DH gives confidentiality but not authentication — TLS signs the DH value with the certificate key
- Modern split: (EC)DHE agrees the key (ephemeral), the certificate key only signs/authenticates
- TLS 1.3 removed RSA key transport — ECDHE forward secrecy is now mandatory
- Next chapter: certificates & the X.509 format — what proves the server's identity