[Cryptography] People should turn on PFS in TLS (was Re: Fwd: NYTimes.com: N.S.A. Foils Much Internet Encryption)
Viktor Dukhovni
cryptography at dukhovni.org
Wed Sep 11 14:27:18 EDT 2013
On Tue, Sep 10, 2013 at 12:56:16PM -0700, Bill Stewart wrote:
> I thought the normal operating mode for PFS is that there's an
> initial session key exchange (typically RSA) and authentication,
> which is used to set up an encrypted session, and within that
> session there's a DH or ECDH key exchange to set up an ephemeral
> session key, and then that session key is used for the rest of the
> session.
This is not the case in TLS. The EDH or EECDH key exchange is
performed in the clear. The server EDH parameters are signed with
the server's private key.
https://tools.ietf.org/html/rfc2246#section-7.4.3
In TLS with EDH (aka PFS) breaking the public key algorithm of the
server certificate enables active attackers to impersonate the
server (including MITM attacks). Breaking the Diffie-Hellman or
EC Diffie-Hellman algorithm used allows a passive attacker to
recover the session keys (break must be repeated for each target
session), this holds even if the certificate public-key algorithm
remains secure.
--
Viktor.
More information about the cryptography
mailing list