[147036] in cryptography@c2.net mail archive
Re: [Cryptography] People should turn on PFS in TLS (was Re: Fwd:
daemon@ATHENA.MIT.EDU (Viktor Dukhovni)
Wed Sep 11 14:30:50 2013
X-Original-To: cryptography@metzdowd.com
Date: Wed, 11 Sep 2013 18:27:18 +0000
From: Viktor Dukhovni <cryptography@dukhovni.org>
To: cryptography@metzdowd.com
In-Reply-To: <20130911055905.B286BE6FD@a-pb-sasl-quonix.pobox.com>
Reply-To: cryptography@metzdowd.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Tue, Sep 10, 2013 at 12:56:16PM -0700, Bill Stewart wrote:
> I thought the normal operating mode for PFS is that there's an
> initial session key exchange (typically RSA) and authentication,
> which is used to set up an encrypted session, and within that
> session there's a DH or ECDH key exchange to set up an ephemeral
> session key, and then that session key is used for the rest of the
> session.
This is not the case in TLS. The EDH or EECDH key exchange is
performed in the clear. The server EDH parameters are signed with
the server's private key.
https://tools.ietf.org/html/rfc2246#section-7.4.3
In TLS with EDH (aka PFS) breaking the public key algorithm of the
server certificate enables active attackers to impersonate the
server (including MITM attacks). Breaking the Diffie-Hellman or
EC Diffie-Hellman algorithm used allows a passive attacker to
recover the session keys (break must be repeated for each target
session), this holds even if the certificate public-key algorithm
remains secure.
--
Viktor.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
