Thursday, December 5, 2013

Perfect Forward Secrecy



Perfect Forward Secrecy


What is perfect forward secrecy?
In cryptography, Perfect Forward Secrecy is a property of key-agreement protocols that ensures that a session key derived from a set of long-term keys will not be compromised if one of the long-term keys is compromised in the future.
Thus, if your webserver is hacked and the server’s keys compromised, the possession of these keys does not allow the attacked to decrypt prior communications sessions which may have been captured in transit.

When Perfect forward Secrecy is used, both parties to a communication session generate session keys on the fly, and only the two parties have access to the keys.  No one else can, even if they have access to the server's private key determine what the session keys were, and thus decrypt the session if it was captured in transit.

After the session is complete both parties destroy the session keys. The only way to decrypt the communication for the session is to brute force hack the session keys themselves, and breaking strong session keys is clearly much more difficult than obtaining a servers' private keys. Also bear in mind that each session will have different session keys so this makes an attackers job exponentially more time and resource intensive.

Which cipher suites are supported?
SSL supports Perfect Forward Secrecy using two algorithms, the standard Diffie-Hellman (DHE) and the adapted version for use with Elliptic Curve cryptography (ECDHE).   

Why isn't everyone using them, then?
Assuming the interest and knowledge to deploy forward secrecy is there, two obstacles remain:
  • DHE is significantly slower. For this reason, web site operators tend to disable all DHE suites in order to achieve better performance. In recent years, we've seen DHE fall out of fashion. Internet Explorer 9 and 10, for example, support DHE only in combination with obsolete DSA keys.
  • ECDHE too is slower, but not as much as DHE. (Vincent Bernat published a blog post about the impact of ECDHE on performance. Might have changed since 2011.)
The below graph from the blog post shows performance for 1000 handshakes of various cipher suites (RSA 2048, DHE, ECDHE, optimized ECDHE)



Support for clients
If you're willing to support both ECDHE and DHE, then you will probably be able to support Perfect Forward Secrecy with virtually all clients. But ECDHE alone is supported by all major modern browsers, which means that even with only ECDHE you might be able to cover a very large chunk of your user base. The decision what to do is entirely up to you. Google, for example, do not support any DHE suites on their main web sites.

Conclusion
If the performance hit is acceptable, sites should use Perfect Forward Secrecy as an extra layer of protection against server key compromises.


Posted by at No comments:
Subscribe to: Posts (Atom)