Prior to PFS, all data transmitted between the server and client could be compromised if the server's private key were to be disclosed.
Attacker to store the encrypted media until the time they could have their hands on the private key.
During initial handshake, client creates the Pre-master Secret (PMS 😂)
PMS is then encrypted with the server's public key and sent to server. Server decrypts it with its private key.
Using the PMS, both server and client generate the symmetric session keys (Master Secret)
If the attacker were storing all the data right from the handshake, once server's private key is disclosed, the attacher can get the PMS, generate MS and decrypt all the data sent thereafter.
To enable PFS, the client and server should be able to use a cipher suite that includes Diffie-Hellman key exchange. Key exchange should be ephemeral i.e. the client and server need to generate a new set of D-H parameters (key material) for each session.
The key material is exchanged in clear text.
The key material the goes through a complex math magic of D-H to generate the Shared secret.
This is too complex for the attacker to do (why .. not sure 🤔)
Now, even if private key of the server is compromised, it does not aid the attacker to get the session key because it was never encrypted with the server's public key.
Further, new DH-parameters are chosen for each session, and a new shared secret is generated. Thus, even if by some luck the attacker is able to compromise the shared secret, he will have done it for only that session.
How to get PFS ?
- Ensure you have TLS 1.2
- choose correct cipher suite and ensure they are correctly ordered.
Heartbleed -
An OpenSSL bug that allows an attacker to extract data from server's memory e.g. server's private key.
CVE-2014-0160
https://scotthelme.co.uk/perfect-forward-secrecy/
Perfect Forward Secrecy does not prevent a Man in Middle Attack from impersonation as a server.
Attacker to store the encrypted media until the time they could have their hands on the private key.
During initial handshake, client creates the Pre-master Secret (PMS 😂)
PMS is then encrypted with the server's public key and sent to server. Server decrypts it with its private key.
Using the PMS, both server and client generate the symmetric session keys (Master Secret)
If the attacker were storing all the data right from the handshake, once server's private key is disclosed, the attacher can get the PMS, generate MS and decrypt all the data sent thereafter.
To enable PFS, the client and server should be able to use a cipher suite that includes Diffie-Hellman key exchange. Key exchange should be ephemeral i.e. the client and server need to generate a new set of D-H parameters (key material) for each session.
The key material is exchanged in clear text.
The key material the goes through a complex math magic of D-H to generate the Shared secret.
This is too complex for the attacker to do (why .. not sure 🤔)
Now, even if private key of the server is compromised, it does not aid the attacker to get the session key because it was never encrypted with the server's public key.
Further, new DH-parameters are chosen for each session, and a new shared secret is generated. Thus, even if by some luck the attacker is able to compromise the shared secret, he will have done it for only that session.
How to get PFS ?
- Ensure you have TLS 1.2
- choose correct cipher suite and ensure they are correctly ordered.
Heartbleed -
An OpenSSL bug that allows an attacker to extract data from server's memory e.g. server's private key.
CVE-2014-0160
https://scotthelme.co.uk/perfect-forward-secrecy/
Perfect Forward Secrecy does not prevent a Man in Middle Attack from impersonation as a server.
PFS means that if an attacker obtains your private key in the "future", they can NOT decrypt your "past" communications they might have recorded
No comments:
Post a Comment