Login/Register
How does perfect forward secrecy (PFS) work
Asked Answered
Solved httpscryptographypublic-key-encryption
V

3

17

I'm in an infosec class and I stumbled upon this concept online and it intrigued me. I've also looked at a few websites and wikipedia that explain the concept, as well as a few posts on stackoverflow, but I'm still getting confused. From what I understand is in a typical HTTPS public key exchange, a browser and a server come together with keys to create a session key...if someone ever obtained a private key that derived the session key, they could see all the data that was sent between this connection, even in the past.

My understanding is that with PFS, the 'session key' is never sent , even in encrypted form. It is kept secret so that even if someone found a private key, they wouldn't be able to access encrypted recorded information from the past. Is this correct?

I also was wondering, If I am partaking in a PFS exchange call me "A", with a server "B", PFS is supposed to work with the fact that if my key becomes compromised, A and B's conversation wont become compromised because they don't know the session key. But how does "B" authenticate me as "A", if my key has in fact became compromised...e.g. how would it know the difference between me (A) or another user (C) using my key attempting to access the data.

Virgenvirgie answered 10/12, 2013 at 21:45 Comment(1)
This question appears to be off-topic because it is about crypto theory. Try crypto.stackexchange.comSaundrasaunter
C
10

In a non-PFS session the browser decides on the session key (or rather secret from which it is derived) and encrypts it using RSA, with the RSA public key obtained from a certificate that belongs to the server. The certificate is also used to authenticate the server. The server then uses its private key (what you call master key) to decrypt the session key. All connections to the server use different session keys, but if you possess the master key you can figure them all out, the way the server does. In PFS you use algorithms such as Diffie-Hellman, where the master key is not used. In such connection the master key is used to authenticate the parameters for the algorithm. After the parameters are agreed on, the key exchange takes place using those parameters, and a secret of both parties. The parameters are not secret, and the secrets the parties used are discarder after the session key is established (ephemeral). This way if you discover the master key you cant discover the session key. However you can pose as the server if you get the key, and the certificate is not invalidated. To find out more read about Diffie-Hellman.

Colston answered 12/12, 2013 at 18:23 Comment(0)
O
44

I really like the answer on Quora given by Robert Love: http://www.quora.com/What-is-perfect-forward-secrecy-PFS-as-used-in-SSL

Let's look at how key exchange works in the common non-ephemeral case. Instead of giving a practical example using, say, Diffie-Hellman, I'll give a generalized example where the math is simple:

Alice (client) wants to talk to Bob (server).

Bob has a private key X and a public key Y. X is secret, Y is public.

Alice generates a large, random integer M.

Alice encrypts M using Y and sends Y(M) to Bob.

Bob decrypts Y(M) using X, yielding M.

Both Alice and Bob now have M and use it as the key to whatever cipher they agreed to use for the SSL session—for example, AES.

Pretty simple, right? The problem, of course, is that if anyone ever finds out X, every single communication is compromised: X lets an attacker decrypt Y(M), yielding M. Let's look at the PFS version of this scenario:

Alice (client) wants to talk to Bob (server).

Bob generates a new set of public and private keys, Y' and X'.

Bob sends Y' to Alice.

Alice generates a large, random integer M.

Alice encrypts M using Y' and sends Y'(M) to Bob.

Bob decrypts Y'(M) using X', yielding M.

Both Alice and Bob now have M and use it as the key to whatever cipher they agreed to use for the SSL session—for example, AES.

(X and Y are still used to validate identity; I'm leaving that out.)

In this second example, X isn't used to create the shared secret, so even if X becomes compromised, M is undiscoverable. But you've just pushed the problem to X', you might say. What if X' becomes known? But that's the genius, I say. Assuming X' is never reused and never stored, the only way to obtain X' is if the adversary has access to the host's memory at the time of the communication. If your adversary has such physical access, then encryption of any sort isn't going to do you any good. Moreover, even if X' were somehow compromised, it would only reveal this particular communication.

That's PFS.

Overload answered 13/10, 2014 at 2:47 Comment(2)
Maybe this is a stupid question, but is the new key Y' encrypted using Y for transmission? Or is Y' sent in plain text?Shumaker
Both Y and Y' are public. There is no need to encrypt either. (Encrypting with Y would be of limited value because only the owner of X would be able to decrypt it.)Antin
C
10

In a non-PFS session the browser decides on the session key (or rather secret from which it is derived) and encrypts it using RSA, with the RSA public key obtained from a certificate that belongs to the server. The certificate is also used to authenticate the server. The server then uses its private key (what you call master key) to decrypt the session key. All connections to the server use different session keys, but if you possess the master key you can figure them all out, the way the server does. In PFS you use algorithms such as Diffie-Hellman, where the master key is not used. In such connection the master key is used to authenticate the parameters for the algorithm. After the parameters are agreed on, the key exchange takes place using those parameters, and a secret of both parties. The parameters are not secret, and the secrets the parties used are discarder after the session key is established (ephemeral). This way if you discover the master key you cant discover the session key. However you can pose as the server if you get the key, and the certificate is not invalidated. To find out more read about Diffie-Hellman.

Colston answered 12/12, 2013 at 18:23 Comment(0)
F
1

You generate a new public key for every message, and use the real permanent public key only for authentication

This was mentioned in other answers, but I just want to give a more brain parseable and contextual version of it.

There are two things you can do with someone's public key:

In many ways, authentication is the more critical/costly step, because to know that a given public key belongs to someone while avoiding a man in the middle attack, you need to take steps such as:

  • meet them in real life and share the public key (leave your home???)
  • talk to them over video (deepfakes???)
  • trusted signature providers (centralization!!!)

Generating new keys is however comparatively cheap.

So once you have done this costly initial key validation step, you can now just:

  • ask the receiver to generate a new temporary public key for every message you want to send them
  • the receiver sends you the temporary public key back to you, signed by their permanent public key. Nothing ever gets encrypted by the permanent key, only signed. No need to encrypt public keys being sent!
  • you verify the message signature with the permanent public key to avoid MITM, and you then use that temporary key encrypt your message

After the message is received and read, they then immediately delete that temporary private key and the decrypted message.

So now if their computer gets hacked and the permanent private key leaks, none of the old encrypted messages that the attacker captured over the wire can be decrypted, because the temporary key was used to encrypt them, and that has been long since deleted.

Future messages would be susceptible to MITM however if they don't notice and change their permanent key after the leak.

Frankish answered 9/2, 2021 at 11:29 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.