SSL / TLS Notes: forward, backward secrecy
After reading the news about Google SSL PFS, it seems that even those who announce the news can confuse the following two concepts:
Using the term Perfect forward secrecy, the Google SSL PFS article provides an example of backward secrecy. For the majority, this will not matter much, but for those who want to sort it out, you are welcome.
The secrecy of future messages means that if a private key leaks in asymmetric encryption (private key), all future messages can be decrypted on the fly.
The secrecy of past messages means that if a private key leaks in asymmetric encryption (private key), all past messages recorded by a hacker (network attacker threat model) can be decrypted.
It should be noted that this means the private key of the server, not the client.
It should also be added that for this specific example in the context of using the Ephemeral Diffie-Hellman algorithm, the algorithm itself has both properties (secrecy of future and past messages). But in other algorithms and commitment delivery schemes, the algorithm may provide secrecy for future messages, but not past ones. One example is the Timed effecient commitment scheme with bounded sender .
Let's now look at the key generation mechanisms for the current session in SSL / TLS.
How can keys be formed in SSL / TLS? There are four main ways.
Without going into the details of each key generation method, let's look at what properties each of the methods has, or “What's the worst thing that can happen?”.
If the RSA private key is lost, the hacker will be able to decrypt all recorded past messages and future messages. The implementation of key exchange in RSA is one-way (non-contributory): all the necessary information for creating a symmetric key, which is created at the handshake stage (SSL / TLS handshake), is sent to the server and encrypted with the public key of the server. Disclosure of the private key makes it possible to find out the symmetric key of this session.
Mechanism Fixed Diffie-Hellmanuses a constant public key (g ^ a mod p), which is registered in the server certificate. It also means that with each new connection, the client (browser) provides its part of the key (g ^ b mod p). After exchanging the keys, a new symmetric key is formed (g ^ (ab) mod p) for exchanging information for the current session. By revealing the Diffie-Hellman private key (a from g ^ a mod p) of the server, the hacker will be able to decrypt previously recorded messages, as well as all future messages. This is made possible by the Diffie-Hellman mechanism itself: (g ^ a mod p) ^ b mod p = g ^ (ab) mod p. Since the hacker knows the private key of the server, he will be able to find out the symmetric key of each session, and even the fact that the key generation mechanism is two-way (contributory) will not help. Anonymous Diffie-Hellman
Movementdoes not provide guarantees of privacy because data is transmitted unencrypted.
The only option that guarantees the safety of past and future messages is Ephemenral Diffie-Hellman . The difference compared to the previously discussed methods is that with each new connection, the server and the client create a one-time key (g ^ a mod p and g ^ b mod p). Thus, even if the hacker gets the current private key, he will be able to decrypt only the current session, but not previous or future sessions.
- Forward secrecy - secrecy of future messages
- Backward secrecy - secrecy of past messages
Using the term Perfect forward secrecy, the Google SSL PFS article provides an example of backward secrecy. For the majority, this will not matter much, but for those who want to sort it out, you are welcome.
The secrecy of future messages means that if a private key leaks in asymmetric encryption (private key), all future messages can be decrypted on the fly.
The secrecy of past messages means that if a private key leaks in asymmetric encryption (private key), all past messages recorded by a hacker (network attacker threat model) can be decrypted.
It should be noted that this means the private key of the server, not the client.
It should also be added that for this specific example in the context of using the Ephemeral Diffie-Hellman algorithm, the algorithm itself has both properties (secrecy of future and past messages). But in other algorithms and commitment delivery schemes, the algorithm may provide secrecy for future messages, but not past ones. One example is the Timed effecient commitment scheme with bounded sender .
Let's now look at the key generation mechanisms for the current session in SSL / TLS.
How can keys be formed in SSL / TLS? There are four main ways.
- RSA
- Fixed Diffie-Hellman
- Ephemenral diffie-hellman
- Anonymous Diffie-Hellman
Without going into the details of each key generation method, let's look at what properties each of the methods has, or “What's the worst thing that can happen?”.
If the RSA private key is lost, the hacker will be able to decrypt all recorded past messages and future messages. The implementation of key exchange in RSA is one-way (non-contributory): all the necessary information for creating a symmetric key, which is created at the handshake stage (SSL / TLS handshake), is sent to the server and encrypted with the public key of the server. Disclosure of the private key makes it possible to find out the symmetric key of this session.
Mechanism Fixed Diffie-Hellmanuses a constant public key (g ^ a mod p), which is registered in the server certificate. It also means that with each new connection, the client (browser) provides its part of the key (g ^ b mod p). After exchanging the keys, a new symmetric key is formed (g ^ (ab) mod p) for exchanging information for the current session. By revealing the Diffie-Hellman private key (a from g ^ a mod p) of the server, the hacker will be able to decrypt previously recorded messages, as well as all future messages. This is made possible by the Diffie-Hellman mechanism itself: (g ^ a mod p) ^ b mod p = g ^ (ab) mod p. Since the hacker knows the private key of the server, he will be able to find out the symmetric key of each session, and even the fact that the key generation mechanism is two-way (contributory) will not help. Anonymous Diffie-Hellman
Movementdoes not provide guarantees of privacy because data is transmitted unencrypted.
The only option that guarantees the safety of past and future messages is Ephemenral Diffie-Hellman . The difference compared to the previously discussed methods is that with each new connection, the server and the client create a one-time key (g ^ a mod p and g ^ b mod p). Thus, even if the hacker gets the current private key, he will be able to decrypt only the current session, but not previous or future sessions.