What is Key Exchange?
Key exchange helps two systems create a shared secret over an untrusted network without directly sending that secret.
Alice and Bob Create the Same Secret
The colour-mixing model is a teaching metaphor for the intuition behind key exchange.
Alice: public colour
Bob: public colour
Observer: sees public colour
Alice: adds Alice private colour
Bob: adds Bob private colour
Observer: does not see private colours
Alice: sends Alice mixed colour
Bob: sends Bob mixed colour
Observer: sees both mixed colours
Alice: adds Alice private colour
Bob: adds Bob private colour
Observer: still lacks private colours
Alice: same final colour
Bob: same final colour
Observer: cannot easily recreate it
Client contacts server
A secure connection starts.
Key exchange mechanism runs
Both sides use public and private information.
Shared secret is derived
Both sides arrive at the same secret material.
Symmetric encryption begins
Data is protected efficiently.
Key exchange is the setup step. It helps two systems create the same secret so symmetric encryption can protect data.
Short Answer
Key exchange solves a simple problem: both sides need the same secret, but should not send that secret across the network.
A public process starts it
Two systems can use public information and private information to arrive at shared secret material.
It prepares encryption
After key exchange, the systems can use symmetric encryption to protect the actual data.
It matters for PQC
Many current key exchange methods depend on public-key cryptography, so migration needs new ways to establish shared secrets safely.
Core Explanation
Secure communication needs a shared secret
Symmetric encryption is efficient for protecting data, but both sides need the same secret key.
The hard part is agreeing on the secret in the first place.
- browser and website
- laptop and VPN gateway
- app and API
- two internal systems
- device and cloud service
You should not simply send the secret
A network is not automatically private. Traffic may pass through routers, providers, gateways, proxies, Wi-Fi networks, cloud services, and other infrastructure.
If one side simply sends the secret key, an attacker who can observe the traffic may copy it.
Public-key cryptography helps create shared secrets
Many current key exchange mechanisms use public-key cryptography.
Both sides exchange public information, keep private information secret, perform a calculation, and arrive at the same shared secret.
The shared secret is then used for encryption
Key exchange is not the whole secure connection. It is a setup step.
Key exchange helps create the secret. Symmetric encryption uses the secret to protect data efficiently.
PQC introduces KEMs
In post-quantum cryptography, readers will often see the term KEM, or Key Encapsulation Mechanism.
This page explains the general problem: creating a shared secret. The KEM page explains a specific mechanism model that is important for post-quantum cryptography.
Do not worry about ML-KEM yet. The main idea for now is that PQC still needs secure ways for systems to establish shared secrets.
Why It Matters
Key exchange sits at the start of many secure connections.
It appears in real infrastructure
HTTPS and TLS, VPNs, APIs, service-to-service communication, remote access, cloud connections, device-to-cloud communication, and identity flows may all depend on key establishment.
It links directly to PQC
Many current approaches rely on public-key assumptions that may need a future migration path.
It leads to KEMs
That is why PQC discussions often move from key exchange to KEMs and ML-KEM.
Practical Example
Opening a secure website
When you open a secure website, your browser and the website need to protect the data they exchange.
They should not simply send a secret encryption key over the network. Instead, they use a key exchange process to create shared secret material.
After that, symmetric encryption can protect the actual session data.
Common Misunderstanding
Key exchange means one side sends the encryption key to the other side.
Key exchange is designed to avoid simply sending the secret. The two sides use a cryptographic process to derive the same shared secret while an observer sees only public exchange information.
What to Remember
One-Sentence Summary
Key exchange lets two systems create a shared secret over an untrusted network without directly sending that secret.
Three Key Points
- Secure connections often need shared secrets.
- Key exchange helps create those secrets safely.
- PQC introduces KEMs as an important model for post-quantum key establishment.