RSA vs ECDHE: what's the difference for key exchange?

6 minadvancedrsaecdhekey-exchangeforward-secrecy

Quick Answer

RSA key exchange has the client encrypt a secret directly with the server's long-term public key. ECDHE (Elliptic-curve Diffie-Hellman Ephemeral) has both sides generate temporary key pairs, and combine them mathematically to arrive at the same shared secret, without ever sending the secret itself. ECDHE's big advantage is forward secrecy — RSA key exchange doesn't provide that. TLS 1.3 dropped RSA key exchange entirely and only allows ECDHE (or plain DHE).

Detailed Answer

Both RSA and ECDHE let a client and server agree on a shared secret. They get there in very different ways.

RSA key exchange (old TLS 1.2 option, removed in TLS 1.3):

Client generates a random secret
Client encrypts it with the server's public key (from its certificate)
   ------------------------------------------------->
Server decrypts it with its private key
Both sides now share the same secret

The client picks the secret, encrypts it, and sends it over. Anyone with the server's private key can decrypt it — including the same private key used for every connection to that server.

ECDHE (used by TLS 1.2 optionally, required by TLS 1.3):

Client generates a temporary key pair       Server generates a temporary key pair
Client sends its temporary public key  -->
                                        <--  Server sends its temporary public key

Client combines: (its private key) + (server's public key) --> shared secret
Server combines: (its private key) + (client's public key) --> shared secret
(both arrive at the same value, without ever transmitting it directly)

Neither side ever sends the actual shared secret over the network — it's computed independently on each side, from a mix of public and private values.

Why this matters — forward secrecy:

  • With RSA key exchange, the same server private key is reused for every connection. If that private key ever leaks, an attacker who recorded past encrypted traffic can decrypt all of it, retroactively.
  • With ECDHE, a fresh, temporary ("ephemeral") key pair is generated for every single connection, then thrown away. Even if the server's long-term private key leaks later, past sessions stay safe, because they never depended on that key for the actual secret.

This forward-secrecy gap is exactly why TLS 1.3 removed RSA key exchange and requires ECDHE (or DHE) for every connection.