Key Exchange is mainly used for key creation. In the ISAKMP system, both the data encryption algorithm and the authentication algorithm need a key that both parties know. However, the Internet environment is insecure. How can we establish a secure key through an insecure Internet environment?
There are two methods. The first is key transmission, and the second is key generation.
As the name suggests, key transmission means sending the key directly to the other party. A typical example is to randomly generate a key on the client and then encrypt it with the public key on the server. Since only the server knows how to decrypt the encrypted data, the key security is ensured. However, if the private key of the server is stolen, the communication becomes insecure.
Key Generation is essentially different from key transmission. Because the key is not transmitted over the network, even if an attacker intercepts the key exchange information, the key cannot be obtained. Key Generation usually uses the Diffie-Hellman algorithm. First, both parties generate a private key independent of each other, which is recorded as Xi and XR. Then, use XI and XR to generate public key information Yi and yr. Both parties exchange Yi and yr, so the initiator has XI and yr, while the receiver has Yi and XR. With this information and DH algorithm, the two ends can generate the same key.
In terms of computing workload, the amount of computing for key transmission is less than that for key generation. However, in terms of security, key generation is undoubtedly more secure. Therefore, mainstream key exchange protocols, such as IPSec, are implemented based on DH algorithms.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
