Diffie-Hellman is a way of generating a shared secret between two people in such a way that the secret can’t be seen by observing the communication. That’s an important distinction: You’re not sharing information during the key exchange, you’re creating a key together.

This is particularly useful because you can use this technique to create an encryption key with someone, and then start encrypting your traffic with that key. And even if the traffic is recorded and later analyzed, there’s absolutely no way to figure out what the key was, even though the exchanges that created it may have been visible. This is where perfect forward secrecy comes from. Nobody analyzing the traffic at a later date can break in because the key was never saved, never transmitted, and never made visible anywhere.

The way it works is reasonably simple. A lot of the math is the same as you see in public key crypto in that a trapdoor function is used. And while the discrete logarithm problem is traditionally used (the xy mod p business), the general process can be modified to use elliptic curve cryptography as well.

But even though it uses the same underlying principles as public key cryptography, this is not asymmetric cryptography because nothing is ever encrypted or decrypted during the exchange. It is, however, an essential building-block, and was in fact the base upon which asymmetric crypto was later built.

The basic idea works like this:

I come up with a prime number p and a number g which is coprime to p-1 and tell you what they are.
You then pick a secret number (a), but you don’t tell anyone. Instead you compute ga mod p and send that result back to me. (We’ll call that A since it came from a).
I do the same thing, but we’ll call my secret number b and the computed number B. So I compute gb mod p and send you the result (called “B”)
Now, you take the number I sent you and do the exact same operation with it. So that’s Ba mod p.
I do the same operation with the result you sent me, so: Ab mod p.

The “magic” here is that the answer I get at step 5 is the same number you got at step 4. Now it’s not really magic, it’s just math, and it comes down to a fancy property of modulo exponents. Specifically:

(ga mod p)b mod p = gab mod p
(gb mod p)a mod p = gba mod p

Which, if you examine closer, means that you’ll get the same answer no matter which order you do the exponentiation in. So I do it in one order, and you do it in the other. I never know what secret number you used to get to the result and you never know what number I used, but we still arrive at the same result.

That result, that number we both stumbled upon in step 4 and 5, is our shared secret key. We can use that as our password for AES or Blowfish, or any other algorithm that uses shared secrets. And we can be certain that nobody else, nobody but us, knows the key that we created together.