What it does
Encryption needs a key both sides already share. But how do you share that key in the first place, if the only channel between you is one an attacker is listening to? Mailing it across the open wire just hands it to them. This is the oldest chicken-and-egg problem in cryptography, and for most of history the only answer was “meet in person first.”
Key exchange dissolves it. Two strangers who have never met, talking entirely in public, can end up holding the same secret number — one that the eavesdropper watching every message cannot reconstruct. It sounds impossible. The math says otherwise.
The idea: mix, swap, mix again
The classic picture is paint. Everyone agrees on a common base color, out in the open. Each person privately mixes in a secret color of their own and sends the mixture across — and the trick is that un-mixing paint is hard, so the secret color stays hidden. When each side mixes their own secret into the color they received, both arrive at the identical final blend. The eavesdropper saw the two mixtures go by but can't separate either back into its secret.
Real key exchange swaps paint for a one-way function: something easy to compute forward and brutally hard to run backward. With small numbers you can watch the whole thing happen.
By hand: the modular-arithmetic version
Here is Diffie–Hellman with numbers tiny enough to follow. The base g and prime p are public. Alice and Bob each pick a private exponent, raise g to it modulo p, and send the result. Adjust either secret and watch both sides still land on the same shared value:
8
19
Alice: Bᵃ mod p = 2
Bob: Aᵇ mod p = 2
shared secret = 2— same on both sides, never sent
The forward step — g^a mod p — is a quick multiply. The reverse step — recovering a from the public result — is the discrete logarithm problem, and nobody knows a fast way to do it. With these toy numbers Eve cracks it in a handful of guesses. Scale p up to hundreds of digits and her search becomes longer than the lifetime of the universe, while Alice's and Bob's side stays instant.
The real thing: ECDH on a curve
Your browser doesn't use plain modular exponentiation anymore — it uses ECDH, the elliptic-curve version. The idea is identical; only the one-way function changes. Instead of raising a number to a power, each side multiplies a point on the P-256 curve by its secret. Reversing that is the elliptic-curve discrete log, which is even harder per bit — so the keys can be far smaller. Run a real exchange:
…
…
…
…
An eavesdropper captured both public keys above — and that's all they get. Recovering the shared secret from the two publics is the elliptic-curve discrete log problem: easy to compute forward, infeasible to reverse.
Forward secrecy: throw the keys away
Notice the keys above are generated fresh each time. In practice every connection invents brand-new exchange keys and discards them when it ends — they're ephemeral. The payoff is forward secrecy: even if an attacker records all your encrypted traffic today and steals the server's long-term key years later, there's no ephemeral key left to recover, so the old conversations stay sealed forever.
A shared secret isn't proof of who
Key exchange gets you a secret shared with whoever is on the other end — but it says nothing about who that is. An attacker who sits in the middle can run a separate exchange with each side and quietly relay, reading everything. Closing that gap needs identity, and identity needs signatures. Bolt the two together and you've nearly built the TLS handshake.
What it's for
- The start of every HTTPS connection— before any page loads, your browser and the server run a key exchange to agree on the AES key they'll use.
- Messaging apps— Signal's end-to-end encryption ratchets a fresh exchange forward constantly, so each message has its own short-lived key.
- VPNs & SSH — the same handshake bootstraps a private tunnel before a single byte of real data moves.