Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Diffie Hellman

I know how this basically works. Both sides have a private key. Then each side sends it's public key which can only be decoded by the private keys.

My question is,

Each side, after working out the private/public key exchange, has to end up with the same values between them.

Does this mean that both sides start off with the same value for both the private and public ??

Where does each side get the value for each key ?? It cant be randomly generated can it, as both sides have to calculate to the same value.

Hope you understand my question, as I know the theory, but cant understand where both ends start with the numbers they need. ( i.e. Group 5, is that a pool of values or just one ? )

OK, getting really confused now, please can someone help !!!

Hall of Fame Super Blue

Re: Diffie Hellman


It really depends how much detail you want to go into and how good at maths you are. I'm not that good at maths so i can't explain how the maths works but from a doc on DH -


Once the key exchange is complete, the process continues. An important feature of the Diffie-Hellman

protocol is its ability to generate “shared secrets” - an identical cryptographic key shared by each side of

the communication. Figure 2 depicts this operation with the “DH Math” box (trust me, the actual

mathematical equation is a good deal longer and more complex). By running the mathematical operation

against your own private key and the other side's public key, you generate a value. When the distant end

runs the same operation against your public key and their own private key, they also generate a value.

The important point is that the two values generated are identical.


Full doc is attached.

Apologies if this is not what you wanted.


Community Member

Re: Diffie Hellman

Thanks for this info.

I think the main key point I do not understand is on that doc.

Its the line...

Noting that the public key is a derivative of the private key is important - the two keys are

mathematically linked.

How can 2 systems that have never communicated before, share 2 public keys, do a calculation with their own private keys and both come to the same matching values ?

If you individually went on the 2 systems and coded the same private and public keys, i can understand as it logically would be the same value.

The fact is, you only type in the command ' group 2' for example and hey presto, it works ??.

Community Member

Re: Diffie Hellman

The process begins when each side of the communication generates a private key.

OK with this

Each side then generates a public key, which is a derivative of the

private key.

Can someone explain this in more detail ?

The two systems then exchange their public keys. Each side of the communication now has

their own private key and the other systems public key .

Yes, but how do both sides then get the same value ? The private keys can be totally different on both sides, as will be the public keys ?


Re: Diffie Hellman

Since it's in Wikipedia I'm not going to write it out - the math is explained here:

Pay attention to this: (g)ab and (g)ba are equal mod p - this is the important part here.

Btw, Mod stands for 'modulus' or 'modulus operator' - all it means is that you are taking the remainder as the answer. For example 16 mod 3 = 1, because 16/3= 5 remainder 1.


Community Member

Re: Diffie Hellman

So before any exchange takes place, are the values of the private keys and the public keys(before they are sent), the same as the keys on the other side so when they swap and do the calculations, it always comes to the same value ?

This is the bit I want to work out, as the only command I can see we enter on both sides is for example 'group 2 '.

I know each level of the group is a different level of encryption, and I take it this is the level that it encrypts the entire ISAKMP policy ?.


Re: Diffie Hellman


D-H is used as part of the IKE/ISAKMP policy to create a key that encrypts the data to be transmitted.

Both sides agree on a prime number and a base to use. Then, each side picks a random number that the other side does not know about. Each side performs an operation using the random number, the base and the prime. The results are shared at both sides (they are the same number at both sides)- this result is the key that is then used to encrypt data. Group 2 denotes that the key is 1024 bits, and is therefore more difficult to crack. Group 1 uses a 768 bit key.



Community Member

Re: Diffie Hellman

You are a saviour, it is now clear. I didnt need to know this, but I like to know the workings of things before I go configuring it just in case.

Thanks Paul

CreatePlease to create content