Diffie-Hellman key exchange (D-H) is a method to generate a private key between two machines connected through an insecure channel.
When a client begins a connection to a secured web service the SSL negotiation occurs exchanging the public keys and then, the two parties comes into an agreement in regards to the keys and ciphers to be used during the communication.
In this illustration is perfectly explained how the negotiation behaves with colors. Just imagine how it works with large random numbers computed by both communication nodes.
How it’s used in a load balancer
The load balancer creates SSL services when it performs SSL Offload operations, in the form:
Zen Load Balancer uses the OpenSSL tools with dhparam options to generate the Diffie-Hellman keys. Read more about the full options here.
In order to create a SSL Offload farm (HTTP profile with HTTPS listener in Zen Load Balancer) it’s required to generate a Diffie-Hellman key with the following good practices in order to ensure a robust key generation.
1. A minimum key length of 2048 bits. More length will mean more difficult to decrypt in a reasonable amount of time.
2. One DH key per SSL farm in order to make more difficult to break the communication of several SSL services and isolate the security of every farm.
3. Less predictable in the random generation means more difficult to break the communication.
Note that the generation of the Diffie-Hellman keys is usually a computationally costly process due to the random number generation could take too much time, but this ensures a security assurance for our SSL services.