Diffie-Hellman key exchange protocol allows for the creation of confidential symmetric keys through asymmetric exchange of cleartext seed information. The basis for this exchange is the mathematical relationship between logarithms and prime numbers in modular arithmetic.
In Diffie-Hellman, each end selects an integer at random (call them a and b). The integers a and b are kept private on each end. Also, each end has agreed in advance to use two parameters, g and p, where p is a very large prime number. Given this information, the following calculations are performed:
These calculated values are exchanged publicly in the clear. The security of this transaction is based on the idea that factoring problems involving the very large (and secret) prime number p are computationally intractable. So g, a, and b are unlikely to be discovered from an interception of the publicly transmitted calculations.
After the exchange of calculated values, each end now is in possession of either a and g^b mod p or b and g^a mod p. This allows for the following calculations to occur:
(g^a)^b mod p = g^ab mod p = k
(g^b)^a mod p = g^ba mod p = g^ab mod p = k
So through the exchange of cleartext calculations, each side is able to derive the same secret key, k. Key k is then used as a symmetric key to encrypt the remainder of the session.
Diffie-Hellman requires previous agreement on large prime numbers and other parameters. These parameters are called Diffie-Hellman groups. Diffie-Hellman groups are identified by number, with higher numbered groups involving longer parameters and stronger encryption.
Diffie-Hellman is used in IPSec in conjunction with Internet Key Exchange (IKE).
References:
http://www.rsa.com/rsalabs/node.asp?id=2248
http://mathworld.wolfram.com/Diffie-HellmanProtocol.html
http://www.internet-computer-security.com/VPN-Guide/Diffie-Hellman.html