SSL / TLS notes: forward, backward secrecy
After reading the news about Google SSL PFS, it seems that even those who announce the news may confuse the following two concepts:
Using the term Perfect forward secrecy in the Google SSL PFS article provides an example of backward secrecy. For most it will not be important, but for those who want to figure it out, you are welcome.
The secrecy of future messages means that if a private key is leaked in asymmetric encryption (private key), all future messages can be decrypted on the fly.
Secrecy of past messages means that if a private key is leaked in an asymmetric encryption (private key), all past messages recorded by the hacker (network attacker threat model) can be decrypted.
')
It should be noted that this refers to the private key of the server, not the client.
It should also be added that for this particular example, in the context of using the Ephemeral Diffie-Hellman algorithm, the algorithm itself has both properties (secrecy of future and past messages). But in other algorithms and message delivery schemes (commitment schemes), the algorithm can provide the secrecy of future messages, but not the past ones. One example is the Timed effecient commitment scheme with bounded sender .
Let's now consider the key generation mechanisms for the current session in SSL / TLS.
So how can keys be generated in SSL / TLS? There are four main ways.
Without going into the details of each method of forming a key, let's consider what properties each method has or “What's the worst thing that can happen?”.
If the RSA private key is lost, the hacker is able to decrypt all recorded past messages and future messages. The implementation of key exchange in RSA is one-way (non-contributory): all the necessary information to form a symmetric key that is created during the handshake phase (SSL / TLS handshake) is sent to the server and encrypted with the public key of the server. Disclosure of the private key allows you to find out the symmetric key of this session.
The Fixed Diffie-Hellman mechanism uses a permanent public key (g ^ a mod p), which is registered in the server certificate. It also means that with each new connection, the client (browser) provides its part of the key (g ^ b mod p). After the key exchange, a new symmetric key (g ^ (ab) mod p) is formed to exchange information for the current session. When disclosing the Diffie-Hellman private key (a from g ^ a mod p) of the server, the hacker will be able to decrypt previously recorded messages, as well as all future messages. This becomes possible because of the Diffie-Hellman mechanism itself: (g ^ a mod p) ^ b mod p = g ^ (ab) mod p. Since the hacker knows the private key of the server, he will be able to find out the symmetric key of each session, and even the fact that the key generation mechanism is two-way (contributory) will not help.
Anonymous Diffie-Hellman does not guarantee secrecy because data is transmitted unencrypted.
The only option that guarantees the security of past and future messages is Ephemenral Diffie-Hellman . The difference compared with the previously discussed methods is that with each new connection a one-time key is created by the server and client (g ^ a mod p and g ^ b mod p). Thus, even if the hacker gets the current private key, he can decrypt only the current session, but not previous or future sessions.
- Forward secrecy - the secrecy of future messages
- Backward secrecy - the secrecy of past messages
Using the term Perfect forward secrecy in the Google SSL PFS article provides an example of backward secrecy. For most it will not be important, but for those who want to figure it out, you are welcome.
The secrecy of future messages means that if a private key is leaked in asymmetric encryption (private key), all future messages can be decrypted on the fly.
Secrecy of past messages means that if a private key is leaked in an asymmetric encryption (private key), all past messages recorded by the hacker (network attacker threat model) can be decrypted.
')
It should be noted that this refers to the private key of the server, not the client.
It should also be added that for this particular example, in the context of using the Ephemeral Diffie-Hellman algorithm, the algorithm itself has both properties (secrecy of future and past messages). But in other algorithms and message delivery schemes (commitment schemes), the algorithm can provide the secrecy of future messages, but not the past ones. One example is the Timed effecient commitment scheme with bounded sender .
Let's now consider the key generation mechanisms for the current session in SSL / TLS.
So how can keys be generated in SSL / TLS? There are four main ways.
- RSA
- Fixed diffie-hellman
- Ephemenral Diffie-Hellman
- Anonymous Diffie-Hellman
Without going into the details of each method of forming a key, let's consider what properties each method has or “What's the worst thing that can happen?”.
If the RSA private key is lost, the hacker is able to decrypt all recorded past messages and future messages. The implementation of key exchange in RSA is one-way (non-contributory): all the necessary information to form a symmetric key that is created during the handshake phase (SSL / TLS handshake) is sent to the server and encrypted with the public key of the server. Disclosure of the private key allows you to find out the symmetric key of this session.
The Fixed Diffie-Hellman mechanism uses a permanent public key (g ^ a mod p), which is registered in the server certificate. It also means that with each new connection, the client (browser) provides its part of the key (g ^ b mod p). After the key exchange, a new symmetric key (g ^ (ab) mod p) is formed to exchange information for the current session. When disclosing the Diffie-Hellman private key (a from g ^ a mod p) of the server, the hacker will be able to decrypt previously recorded messages, as well as all future messages. This becomes possible because of the Diffie-Hellman mechanism itself: (g ^ a mod p) ^ b mod p = g ^ (ab) mod p. Since the hacker knows the private key of the server, he will be able to find out the symmetric key of each session, and even the fact that the key generation mechanism is two-way (contributory) will not help.
Anonymous Diffie-Hellman does not guarantee secrecy because data is transmitted unencrypted.
The only option that guarantees the security of past and future messages is Ephemenral Diffie-Hellman . The difference compared with the previously discussed methods is that with each new connection a one-time key is created by the server and client (g ^ a mod p and g ^ b mod p). Thus, even if the hacker gets the current private key, he can decrypt only the current session, but not previous or future sessions.
Source: https://habr.com/ru/post/133339/
All Articles