What is the difference between key agreement and key transport?

In key agreement (like Diffie-Hellman) both parties contribute randomness so neither alone determines the final key. In key transport one party generates the key and sends it encrypted under the other's public key. Agreement more naturally supports forward secrecy.

Why isn't establishing a key once enough for a long session?

Long-lived keys increase exposure if compromised and can be worn down by cryptanalysis or attacker observation. Protocols periodically re-key or ratchet (as in Signal) so that compromising one session key does not expose past or future messages.

Key Exchange and Establishment

Key-establishment protocols let parties agree on a fresh shared secret key, binding it to authenticated identities so that subsequent communication can be protected with fast symmetric cryptography.

Onderwerp vinden met PaperMindBinnenkortFind papers & topics

Tools & resources

Dia's downloaden

Learn & explore

VideoBinnenkort

Definition

Key establishment is a protocol by which two or more parties come to share a secret key; in key agreement both parties contribute to the key, while in key transport one party generates and securely sends it.

Scope

This topic covers authenticated key-exchange (AKE) protocols: key agreement versus key transport, the threats they must resist (man-in-the-middle, replay, key-compromise impersonation), security properties such as forward secrecy and contributory key control, and the formal models (Bellare-Rogaway, Canetti-Krawczyk) used to analyze them. It addresses how authentication is added to raw Diffie-Hellman. It excludes the mathematics of the underlying problems and the deployed channel protocols, which are treated separately.

Core questions

What security properties must an authenticated key-exchange protocol guarantee?
How is authentication layered onto a raw key-agreement protocol like Diffie-Hellman?
What is forward secrecy and how does the choice of ephemeral keys provide it?
How do formal models capture an active attacker who controls the network?
What attacks (man-in-the-middle, replay, key-compromise impersonation, unknown-key-share) must protocols resist?

Key concepts

key agreement vs key transport
authenticated key exchange
forward secrecy
ephemeral keys
man-in-the-middle attack
key-compromise impersonation
unknown-key-share attack
Bellare-Rogaway and Canetti-Krawczyk models
key derivation function

Key theories

Authenticated key exchange: Raw key agreement gives a shared secret but not assurance of the partner's identity; AKE protocols add authentication (via signatures, certificates, or pre-shared keys) so each party knows it shares the key with the intended peer and not an impostor.
Forward secrecy and session-key freshness: Using fresh ephemeral key material per session and combining it with long-term authentication keys yields a session key that remains secret even if long-term keys are later compromised, while resisting replay of old sessions.

Mechanisms

A typical AKE combines an ephemeral Diffie-Hellman exchange with authentication: parties exchange ephemeral public values and prove their identity by signing transcript data or by using a pre-shared or certified long-term key. The resulting shared secret is passed through a key-derivation function with a transcript hash to bind it to the session, defeating replay and unknown-key-share attacks and providing fresh, authenticated session keys.

Clinical relevance

Key establishment is the opening act of almost every secure session: the TLS 1.3 handshake, the Signal X3DH and Double Ratchet, IPsec IKEv2, SSH, and WireGuard all run authenticated key exchanges before any data flows. Their correctness determines whether an attacker can impersonate a server or silently sit between two parties.

Evidence & guidelines

Key-establishment schemes are standardized in NIST SP 800-56A/B and analyzed in models such as Bellare-Rogaway and Canetti-Krawczyk. Modern protocols (TLS 1.3, Noise framework) mandate forward-secret ephemeral exchanges and have received formal security analysis. Legacy static-key exchanges without forward secrecy are discouraged.

History

Authenticated key exchange grew from the 1976 Diffie-Hellman protocol and the recognition that it needed authentication to resist active attackers. The 1990s-2000s produced rigorous security models (Bellare-Rogaway 1993, Canetti-Krawczyk 2001) and station-to-station and MQV-style protocols. The lessons were consolidated in the formally analyzed TLS 1.3 handshake and the Noise protocol framework.

Key figures

Whitfield Diffie
Martin Hellman
Mihir Bellare
Phillip Rogaway
Ran Canetti
Hugo Krawczyk

Seminal works

diffie1976
katz2020
menezes1996

Frequently asked questions

What is the difference between key agreement and key transport?: In key agreement (like Diffie-Hellman) both parties contribute randomness so neither alone determines the final key. In key transport one party generates the key and sends it encrypted under the other's public key. Agreement more naturally supports forward secrecy.
Why isn't establishing a key once enough for a long session?: Long-lived keys increase exposure if compromised and can be worn down by cryptanalysis or attacker observation. Protocols periodically re-key or ratchet (as in Signal) so that compromising one session key does not expose past or future messages.