Arun Rajendran

Understanding Perfect Forward Secrecy

Blog Post created by Arun Rajendran Employee on Nov 24, 2015

Introduction

 

Perfect Forward Secrecy(PFS) is a password authenticated key agreement protocol where one generates a random public key per session. By generating a unique session key for every session a user initiates, even the compromise of a single session key will not affect any data other than that exchanged in the specific session protected by that particular key.

 

What used to happen

 

Before PFS came into existence, secure data transfer between client and server could be compromised once the private key information is leaked. The encrypted traffic could be recorded and stored by an attacker and once the attacker gets hold of the private key somehow, he can decrypt all recorded data in the past and future as well. This is because the client sends a Pre-Master Secret(PMS) to the server by encrypting using the server's public key. The server then decrypts it using it's own private key. Once they both have the PMS, they can compute the Master Secret(MS)

 

SSL_Handshake.png

 

Any attacker listening in can always record all data including the Random number 1 and 2. If the attacker can get hold of the server's private key somehow,  the attacker can easily decrypt and get hold of the PMS and compute MS using the Random number 1 and 2 recorded earlier.

 

How does PFS work

 

The client and server should be able to create one session key(Master Secret) per session. This way, even if that session key was to be compromised, the attacker would only be able to decrypt that particular session but not the previous and future ones. This can be achieved by using Diffie Hellman key exchange cipher suites that are ephemeral(i.e. lasts very briefly). For every new session, new Diffie Hellman parameters are generated. The example below may not incorporate the exact Diffie Hellman computation(as it is mathematically heavy), but will definitely give an idea of what is achieved and how.


Ram and Laxman agree to use prime number, p=5 and base, b=2

  • Ram chooses a secret integer, r=5 then sends Laxman R = br mod p

                R = 25 mod 5

                R = 32 mod 5

                R = 2

  • Laxman chooses a secret integer, l=10 then sends Ram L = bl mod p

                  L = 210 mod 5

                  L = 1024 mod 5

                  L = 4

  • Ram computes secret, s = LR mod p

                  s = 42 mod 5

                  s = 16 mod 5

                  s = 1

 

  • Laxman computes secret, s = RL mod p

                    s = 24 mod 5

                    s = 16 mod 5

                    s = 1

  • Ram and Laxman now share the same secret(1)

 

 

PFS ciphers

 

Any Diffie-Hellman key exchange will provide you with Forward Secrecy but choosing an Ephemeral key exchange will provide you with Perfect Forward Secrecy. This can be determined by the display of DHE or EDH in the cipher suite. Another point to note is that Elliptic Curve (EC) DHE/EDH is more faster than normal DHE/EDH. Some of the Ciphers suites are below:

 

ECDHE-ECDSA-AES256-GCM-SHA384

ECDHE-ECDSA-AES256-SHA384

ECDHE-ECDSA-AES128-GCM-SHA256

ECDHE-ECDSA-AES128-SHA256

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-RSA-AES256-SHA384

ECDHE-RSA-AES128-GCM-SHA256

ECDHE-RSA-AES128-SHA256

Outcomes