ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) is a cryptographic algorithm used for secure key exchange in network protocols like TLS (Transport Layer Security). Its main function is to enable two parties (e.g., client and server) to agree on a shared secret over an insecure network, without transmitting the secret itself. This fact almost alone has ensured extensive use of ECDHE in TLS configurations.

But what is ECDHE and how does it work?

ECDHE is built on elliptic curve cryptography which is a highly efficient type of public/private key interchange. ECC uses mathematical structures called elliptic curves to provide the same security as more traditional cryptographic systems (e.g., RSA) but with smaller key sizes and better performance.

Generating public and private keys is easy enough (e.g., using a product such as openssl) but exchanging them securely is a huge challenge, often leading to configurations deploying unnecessarily large key sizes. For example, a 256-bit ECDHE key size is equivalent to RSA 3072-bit key size. ECDHE therefore provides a great combination of: small key size, optimal key strength and secure key exchange mechanism, which provides great overall performance.

The key size is determined by the size of the elliptic curve used in the cryptographic computation. The security of the ECDHE also depends on the specific elliptic curve used. The most commonly used curves are:

• Secp256r1 (P-256) – a 256-bit curve, efficient and secure for most purposes and therefore widely supports in TLS implementations
• Secp384-r1(P-384) – a 384-bit curve used for higher security
• Secp521r1(P-521) – a 521 curve for very high security requirements

The DH principle allows two parties to compute a shared secret using their private keys and the other party’s public key. The shared secret derived from ECDHE is then used to derive symmetric session keys for encrypting the communication between the two parties, typically: AES-128 or AES-256-bit.

In addition, the ‘E’ in ECDHE stands for ephemeral. This means that new keys pairs are generated for every session, ensuring that each session has a unique shared secret. These ephemeral keys are critical in achieving forward secrecy, ensuring past sessions remain secure even in the event of private key being compromised in the future.

There are many advantages of using ECDHE in a TLS profile:

• Each session has a unique shared secret, so even if the server’s private key is compromised in the future, past communications remain secure.
• ECC’s smaller key sizes make computations faster and reduce bandwidth compared to tradition Diffie-Hellman or RSA
• ECC provides stronger security for its key size due to the hardness of the elliptic curve discrete logarithm problem.

ECDHE is widely used in TLS deployments, often paired with RSA or ECDSA for authentication.

It is therefore recommended by MIC Solutions Ltd to consider using ECDHE key exchange algorithm in your TLS security policies.