Diffie Hellman implementation- NodeJS


Diffie Hellman is a key exchange algorithm where client and server both generate public and private key, exchange their public key and combine this key with his own private key to generate same secret key.

But, here is a confusion in the implementation. Here is the code…

const crypto = require('crypto'); const express = require('express'); const app = express();  // Generate server's keys... const server = crypto.createDiffieHellman(139); const serverKey = server.generateKeys();  // Generate client's keys... const client = crypto.createDiffieHellman(server.getPrime(), server.getGenerator()); const clientKey = client.generateKeys();  // Exchange and generate the secret... const serverSecret = server.computeSecret(clientKey); const clientSecret = client.computeSecret(serverKey);   

First of all, server create an instance of DiffieHellman class to generate key. But, client need server’s prime (.getPrime()) and Generator (.getGenerator()) to generate another instance of DiffieHellman class to generate key.

So, server need to pass the value of server.getPrime() and server.getGenerator() to the client. What happen if any middle-man-attack rises in this time? Because, if somehow hacker get this two things then they can also generate same secret key. (-_-)

Any solution? Think this system without TLS.