Securing data as it passes through the internet usually requires protecting it in two ways:
- Confidentiality -- assuring no one except the intended recipients can read the data
- Integrity -- assuring no one can modify or tamper the data in transit
Confidentiality is provided using Symmetric Encryption and Integrity is provided using a Message Authentication Code (MAC).
Both Symmetric Encryption and MAC's require that both parties have identical and secret keys (a "key" in this sense being simply a number, converted to binary).
The problem then is How do both parties establish identical and secret keys over the Internet? (or any other insecure medium). This is known as "the key exchange problem".
One of the solutions for this problem is the Diffie-Hellman algorithm.
Diffie-Hellman allows two parties to establish a shared secret over an insecure medium. Or, to put it more simply....
Imagine you and your friend were standing in a crowded room, surrounded by dubious looking people. Assume you and your friend needed to agree upon an identical number, but do not want anyone else in the room to know what number that is. Diffie-Hellman would allow you and your friend to cleverly exchange some numbers, and from those numbers calculate another number which is identical. And even though everyone in the room heard the numbers being exchanged, they have no way to determine the final number you and your friend arrived to.
We can see an example of this occurring in the image below. Alice and Bob will use the Diffie-Hellman key exchange to establish a shared secret.
Anyone "listening in" on the conversation would only "hear" the numbers which were exchanged in the middle: 13,6,2,9. There is no consistent way to combine these four numbers to attain the final shared secret: 3 without knowing one of either Alice or Bob's Private values (5 or 4) which were never shared.
That is the beauty of Diffie-Hellman.
The numbers used in the example above are small to keep the math simple. In reality, numbers used in modern Diffie-Hellman exchanges are (or ought to be) at minimum 2048 bits long -- which would require approximately 617 digits to write out!!
After finishing the Diffie-Hellman key exchange, both parties now possess an identical value, known only to each party.
This value becomes the "starting point" from which additional keys can be generated.
Earlier, we mentioned Symmetric Encryption and Message Authentication Codes each require a Secret Key. Well, take your DH Shared Secret and combine it with a few other values and now you have the Encryption and MAC keys you need.
The additional benefit is combining values to create keys is easy... It can be done as many times as necessary.
In fact, many security protocols (SSL/TLS, IPsec, etc) generate one set of keys to secure traffic in each direction -- a total of four keys (MAC + Encryption in one direction, MAC + Encryption in the other direction). All four keys generated from the same initial starting value, derived from Diffie-Hellman.