How to use Diffie Hellman algorithm at the browser? [migrated]

I want to use nodeJS as a server side language. NodeJS have crypto module where DiffieHellman is a class. So, I can use this method to generate key and compute key.

But, client also need to create another instance of diffiehellman class. But how to do that? Can I use crypto module on client side? If yes then how, any solution? Here are my client side code…

const crypto = require('crypto'); const express = require('express'); const app = express();  // Generate server's keys... const server = crypto.createDiffieHellman(139); const serverKey = server.generateKeys(); //send p=prime and g=generator to the client 

Diffie Hellman implementation- NodeJS

Diffie Hellman is a key exchange algorithm where client and server both generate public and private key, exchange their public key and combine this key with his own private key to generate same secret key.

But, here is a confusion in the implementation. Here is the code…

const crypto = require('crypto'); const express = require('express'); const app = express();  // Generate server's keys... const server = crypto.createDiffieHellman(139); const serverKey = server.generateKeys();  // Generate client's keys... const client = crypto.createDiffieHellman(server.getPrime(), server.getGenerator()); const clientKey = client.generateKeys();  // Exchange and generate the secret... const serverSecret = server.computeSecret(clientKey); const clientSecret = client.computeSecret(serverKey);   

First of all, server create an instance of DiffieHellman class to generate key. But, client need server’s prime (.getPrime()) and Generator (.getGenerator()) to generate another instance of DiffieHellman class to generate key.

So, server need to pass the value of server.getPrime() and server.getGenerator() to the client. What happen if any middle-man-attack rises in this time? Because, if somehow hacker get this two things then they can also generate same secret key. (-_-)

Any solution? Think this system without TLS.

how to send prime and generator of diffie hell-men to client over network node js?

I am using crypto module of node js for exchanging key using diffie-hellman algorithm.

server.js

const crypto = require("crypto");  const alice = crypto.createDiffieHellman(512);  const aliceKey = alice.generateKeys(); 

client.js

const bob = crypto.createDiffieHellman(alice.getPrime(), alice.getGenerator());  const bobKey = bob.generateKeys();  const aliceSecret = alice.computeSecret(bobKey);  const bobSecret = bob.computeSecret(aliceKey); 

The above example is taken from node.js documentation as shown the client uses servers prime number for generating the prime number.

my question is how should I securely send the prime number and the other parameter to client over internet? are there any other alternatives?

and another question is that I am generating keys using generate keys function but I have already generated private-key.pem and public-cert.pem file. can I use those if yes then how?, if no then what is difference between those keys?

Is the server’s private key needed in the Diffie Hellman key exchange?

I understand the Diffie Hellman key exchange. What I don’t understand is the role the server’s private key plays in it.

I’m not talking about the servers generated secret. I understand that purpose quite well. I’m talking about the private key associated with the server’s certificate/public key.

I understand the role of the servers private key in the RSA key exchange but I don’t think the servers private key is needed in the Diffie Hellman key exchange.

If the servers private key isn’t needed in the Diffie Hellman key exchange AND I forced all clients to only use the Diffie Hellman key exchange could I, in theory, delete the servers private key for added security?