Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) is a key exchange algorithm that allows two parties to establish a shared secret over an insecure communication channel. It is a variant of the Diffie-Hellman key exchange that uses elliptic curve cryptography to provide stronger security with smaller key sizes.

The “ephemeral” part of the name refers to the fact that the key used in the key exchange is only used once and then discarded. This provides forward secrecy, which means that if an attacker were to compromise the private key of one party at a later time, they would not be able to use it to decrypt past communications.

In ECDHE, each party generates a public-private key pair based on an elliptic curve. The parties then exchange their public keys and use them to generate a shared secret using a mathematical formula. The shared secret can then be used to encrypt subsequent communication using symmetric encryption.

ECDHE is widely used in secure communication protocols such as TLS (Transport Layer Security) to establish secure connections between web servers and clients. It provides a high level of security with relatively small key sizes, making it well-suited for use in resource-constrained environments such as mobile devices.

Difference between ECDHE/DHE and ECDH

The difference between ECDHE/DHE and ECDH is that for ECDH one key for the duration of the SSL session is used (which can be used for authentication) while with ECDHE/DHE a distinct key for every exchange is used. Since this key is not a certificate/public key, no authentication can be performed. An attacked can use their own key. Thus when using ECDHE/DHE, you should also implement client key validation on your server (2-way SSL) to provide authentication.

ECDHE and DHE give forward secrecy while ECDH does not. See here. ECDHE is significantly faster than DHE. There are rumors that the NSA can break DHE keys and ECDHE keys are preferred. On other sites it is indicated DHE is more secure. The calculation used for the keys is also different. DHE is prime field Diffie Hellman. ECDHE is Elliptic Curve Diffie Hellman. ECDHE can be configured. ECDHE-ciphers must not support weak curves, e.g. less than 256 bits.

Related Products

Related Articles

Yubico Launches YubiHSM 2: The World’s Smallest and Best Price/Performance Hardware Security Module, Providing Root of Trust for Servers and Computing Devices

October 31st, 2017|

PALO ALTO, CA – October 31, 2017 – Yubico, the leading provider of authentication and encryption hardware devices for the modern web, today launched the YubiHSM 2, a new, cost-effective Hardware Security Module (HSM) for servers and IoT gateways. The

New Versions of VanDyke Software’s SecureCRT 8.0 and SecureFX 8.0 Feature an Updated User Interface and Enhanced Smart Card Support

March 31st, 2016|

Albuquerque, N.M. (March 31, 2016) — VanDyke Software®, a developer of multi-platform secure terminal emulation, secure file transfer, and remote administration software, today released the newest official versions of SecureCRT® 8.0 SSH client and SecureFX® 8.0 secure file transfer client for

SecureCRT 8.0 and SecureFX 8.0 Beta Releases from VanDyke Software Introduce an Updated User Interface and Enhanced Smart Card Support

January 28th, 2016|

Albuquerque, N.M. (January 28, 2016) — VanDyke Software®, a developer of multi-platform secure terminal emulation and secure file transfer software, today announced the beta releases of SecureCRT® 8.0 and SecureFX® 8.0. SecureCRT and SecureFX 8.0 (beta) feature an updated user interface

Categories: Authentication, Cryptography, Security, Standards
Tags: ECDH, ECDHE, ECDSA, EdDSA
« Back to Glossary Index