How Key Exchange Works

Before two parties can encrypt their communication, they need to agree on a shared secret key. The tricky part is that they can only communicate over a network that an attacker might be watching. Key exchange protocols solve this without either party ever sending the key itself.

The problem

If Alice wants to send Bob an encrypted message, they both need the same key. If Alice sends the key over the internet, an eavesdropper will intercept it. This looks impossible to solve, yet Whitfield Diffie, Martin Hellman, and Ralph Merkle solved it independently in 1976. Their insight: two parties can establish a shared secret over a public channel without the secret ever travelling across that channel.

Diffie-Hellman key exchange

The Diffie-Hellman (DH) protocol exploits a mathematical asymmetry: computing ga mod p (modular exponentiation) is fast, but reversing the operation to recover the exponent is computationally infeasible. This is the discrete logarithm problem.

Alice and Bob each choose a private random number. They compute a public value from it and exchange those public values. Each then derives the same shared secret from the other's public value combined with their own private number. An eavesdropper who sees only the public values cannot reconstruct the secret.

Modern protocols use Elliptic Curve Diffie-Hellman (ECDH), which achieves equivalent security with much shorter keys by performing the same logic over the algebraic structure of elliptic curves.

Forward secrecy

A critical property in modern protocols is forward secrecy (also called perfect forward secrecy, or PFS). A fresh key pair is generated for every session, and session keys are never derived from long-term identity keys. If an attacker later compromises a server's long-term private key, past sessions remain protected because their unique session keys were discarded after use.

TLS 1.3 mandates forward secrecy by requiring ECDHE (Elliptic Curve DH with Ephemeral keys) for all connections. Earlier TLS versions supported non-forward-secret cipher suites; TLS 1.3 removed them entirely.

Key exchange in TLS, IPsec, and MACsec

  • TLS 1.3 runs an ECDHE exchange during the handshake. The result feeds into HKDF, a key derivation function, to produce the session keys used for encrypting data.
  • IPsec negotiates session keys using IKEv2, which runs a Diffie-Hellman exchange between two endpoints before the tunnel opens. IKEv2 supports periodic rekeying to maintain forward secrecy over long-lived tunnels.
  • MACsec does not perform online key exchange. A Secure Association Key (SAK) is derived from a pre-distributed Connectivity Association Key (CAK) via the MACsec Key Agreement (MKA) protocol. The CAK must be distributed out-of-band, typically done through an ad-hoc mechanism that distributes pre-shared keys. In practice, this reduces the security of the implementation. Ideally, the MKA should establish session keys through a key exchange mechanism.

The quantum threat

Shor's algorithm can solve the discrete logarithm problem in polynomial time on a large-scale quantum computer, which breaks both classical DH and ECDH. The most pressing consequence is the "harvest now, decrypt later" attack: an adversary records encrypted traffic today at negligible cost and decrypts it once a capable quantum computer becomes available. Traffic that must stay confidential for a decade or more is already at risk.

Two paths forward: PQC and QKD

Post-quantum cryptography (PQC) replaces the classical mathematical problems with new ones believed to be hard even for quantum computers. NIST standardised ML-KEM (previously CRYSTALS-Kyber) in 2024 as the primary post-quantum key encapsulation mechanism. It runs on existing internet infrastructure with no special hardware, making it the practical option for securing connections at scale.

Quantum Key Distribution (QKD) takes a fundamentally different approach. Instead of replacing one mathematical problem with another, QKD uses quantum physics to establish a shared key over a dedicated optical fiber link. Any interception attempt disturbs the quantum signal and is detected immediately. QKD is information-theoretically secure and does not rely on any computational assumption. It requires dedicated hardware and fiber infrastructure, so it cannot replace PQC across the open internet. It is best suited for fixed, high-security links between data centers, financial institutions, or government networks.

The most robust networks will combine both approaches: PQC for wide-area connections where QKD infrastructure cannot be built, and QKD for the most sensitive fixed links where the hardware can be deployed.