Let's talk about perfect forward secrecy
Perfect forward secrecy (PFS) is a security feature that comes up fairly regularly in debates about privacy, but historically it gets little discussion. At least, far less discussion than what are perceived as "core" features of a cryptosystem like key strength, message verification, or the web of trust. But that disparity is in part the result of a perception that PFS guards against some unlikely attack scenarios, such as a well-funded adversary capturing months or years' worth of traffic. Thanks to the recent revelations of bulk NSA surveillance, however, those scenarios suddenly seem a lot less unlikely to a lot of users, so PFS is attracting considerable attention.
The basic definition of forward secrecy is that compromising one encrypted conversation does not enable an attacker to then compromise any subsequent conversations. The simplest negative example would be using the same key to encrypt every session: if the key is discovered, the attacker can decrypt the current session and every session that follows. The fact that said attacker can also decrypt older sessions has not traditionally been a been part of the discussion (although it is true), probably because of the unlikelihood that most attackers would have been capturing sessions all along to begin with. After all, old SSL connection traffic is not recorded on servers at your favorite online shopping site—at least as far as anyone knows.
Thus, forward secrecy is a property that stems from how and when keys are generated and used, rather than from the ciphers involved. It essentially means that encryption keys must be ephemeral. Note that OpenPGP, for example, does not have forward secrecy, since its key pairs are by definition long-term assets. If a user's private key becomes public knowledge, the key can no longer be trusted by the user for future encryption and must be replaced, but all old messages encrypted with it are suddenly vulnerable to decryption, too.
There is a bit less agreement on what perfect forward secrecy means above and beyond mere forward secrecy (if indeed there is such a distinction), but the term PFS is typically used to indicate stronger guarantees against the domino-like compromise of one session from another. For example, if a long-term key is used to algorithmically derive a new ephemeral key for each session, some would argue that the forward secrecy is not "perfect." In such a scenario, if a session's ephemeral key was captured, no other sessions could be decrypted with it, but if the long-term key was captured, deriving the session keys—for multiple sessions—might be possible. Which key-derivation schemes and key-exchange protocols are perfect enough to count as PFS varies somewhat in the reading material. In common usage, however, the distinction rarely even comes into play, probably because so few encryption implementations in the wild offer forward secrecy at all.
PFS is a tad peculiar in at least one sense: it describes a property of a particular session that only provides protection to other sessions. That is, the presence or absence of PFS only comes into play when at least one private conversation has been decrypted (or one secret key can been captured). Perhaps it is no wonder, then, that it would remain an afterthought to hardening the rest of the system.
Present perfect
In practice, whether or not any given Internet connection has PFS depends on several factors. First and foremost is the availability of a key-exchange protocol that has PFS, but second is the practical question of whether the two parties in the conversation can agree on a PFS key exchange. That, of course, depends on things outside of the individual's control, such as the configuration of the remote web server.
The Diffie–Hellman key exchange protocol can offer PFS if it generates a new key (by using a new set of parameters) for every session. This is the default behavior, and the great majority of implementations use ephemeral parameters, but for clarity it is common to refer to this behavior as "ephemeral Diffie–Hellman" (EDH or DHE), just to be on the safe side.
PGP-style encryption, as it was noted above, does not offer PFS. But SSH does, since SSH session keys are ephemeral and are exchanged between hosts using DHE. Similarly, the Off-the-Record Messaging (OTR) protocol for instant messages uses DHE for key exchange, so it too offers PFS (in addition to several other privacy and security features). IPSec supports PFS as an option; when enabled, a new DHE key exchange is performed for each new session. But as a percentage of total Internet connections, all of these protocols account for but a fraction when compared to SSL/TLS, which is where the practical problem lies.
The SSL/TLS protocol supports a wide array of "cipher suites." Each cipher suite is a specific combination of a key-exchange algorithm, encryption algorithm, message authentication code, and pseudorandom function. In the handshake step of connection establishment, the client (e.g., web browser) and server each have their own cipher suite preferences; the client presents its list to the server, which is supposed to choose the top option that is supported by both.
DHE and its variant Elliptic Curve DHE (ECDHE) are two of the available options for key exchange, so users would be wise to place them at the top of their cipher-suite preferences. However, the majority of public web servers does not support DHE or ECDHE, so in practice most HTTPS connections are established without PFS. In June 2013, Netcraft published a look at PFS on the web, noting that of the eight most popular web service providers mentioned in the NSA surveillance scandal (Facebook, Twitter, Yahoo, Google, Microsoft, AOL, Apple, and Paltalk), only Google's servers negotiated for a PFS cipher suite during connection.
Most of the remaining web servers simply use public-key encryption to protect connection setup instead, with the client encrypting its part of the handshake with the server's public SSL certificate. The curious can investigate any server's configuration with SSL Labs's server test tool. While the RSA algorithm used for certificates has proven itself quite resistant to attack, to many it is not sufficient for NSA-proofing an SSL/TLS connection. A government agency could obtain the server's private key (i.e., the secret key which complements the SSL certificate that clients use to encrypt those initial messages to the server) with a court order or warrant, at which point any captured SSL/TLS connection from the server could be decrypted.
Naturally, an attacker in possession of the private key corresponding to the server's public SSL certificate can also do plenty of other bad things like man-in-the-middle attacks, so to some, worrying about PFS may sound like small potatoes. On the other hand, for many web users, government surveillance amounts to a different—not a lesser—threat. Strong cryptography might be the best safeguard against thieves and scammers, but PFS is the medicine prescribed for state-supported spying.
Forward progress
The good news is that all of the major free software browsers support PFS cipher suites for SSL/TLS, as do the free software web server projects. Among the servers, nginx is configured to prefer PFS cipher suites by default, and configuring the others to negotiate for it is a relatively simple affair.
Of course, Google only switched over to the PFS-enabled cipher suites on its web servers in 2011; any traffic captured before that could still (at least in theory) be decrypted if the right keys were found.
Looking forward, the NSA surveillance revelations have prompted a renewed interest in PFS, so there are a lot of discussions on Stack Exchange and similar forums about how to configure web servers to prefer PFS. The tide may indeed be changing, but some server administrators may be surprised to discover the costs associated with ephemeral key generation. Prior to the NSA story, there were several popular blog posts on the overhead that enabling DHE and ECDHE for SSL/TLS would impose on a web server. In 2011, for example, Vincent Bernat estimated DHE at a 300% performance hit, but ECDHE at only a 15–27% increase.
Whether such an increase in CPU cycles (and, potentially, hosting
costs) is worth it is a question only the server owner can answer. As
CPUs get faster over time, of course, the bottom-line calculations
could change. But PFS is meant to protect the participants in a
conversation for a very long time—hypothetically an attacker
could store captured traffic forever. And in the very long
run, the additional protections of PFS could be worth a high price
indeed.
| Index entries for this article | |
|---|---|
| Security | Encryption |
Posted Nov 7, 2013 5:54 UTC (Thu)
by dkg (subscriber, #55359)
[Link] (6 responses)
Recent crypto guidelines tend to suggest that 1024 bits is the minimum we should rely on for cryptosystems like DH based on the Discrete Log, and those wanting "near-term" non-crackable guarantees probably want to aim for significantly larger group sizes.
Even worse, some TLS clients can only deal with 1024-bit DHE (like Sun
Java 6 and 7), so servers might offer only weak DH group in order to not
break connectivity for those clients.
And apparently some servers are configured by default to offer only a 768-bit DH group (IIS) or a 1024-bit DH group (most stable versions of apache).
So a widespread move to PFS might actually be harming confidentiality
and message integrity rather than helping it (e.g. if you consider an adversary that has the ability to monitor traffic and some special insight to crack certain relatively small DH groups).
Posted Nov 7, 2013 7:57 UTC (Thu)
by Fowl (subscriber, #65667)
[Link] (3 responses)
> SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message.
Posted Nov 7, 2013 8:43 UTC (Thu)
by dkg (subscriber, #55359)
[Link] (2 responses)
But NSS does fail open at a 512-bit DH group (that's where the ssl_error_weak_server_ephemeral_dh_key cutoff appears to be from brief testing). A DH group of 512 bits is considered roughly equivalent in strength to a 512-bit RSA key. For comparison, RSA-155 (an example 512-bit composite generated in 1991) was factored in 1999, and it seems likely that powerful adversaries today have a wee bit more computational capacity (moore's law suggests that there have been roughly 9 doublings of compute power since 1999, and the NSA is probably proportionally better equipped today than Herman te Riele was then, even after "adjusting for inflation"). If you're worried about the NSA, it seems likely that they have the capability to break any given 512-bit DLP secret key in a short period of time if they decide to throw some hardware and electricity at it.
Since we're talking about PFS, successful cracking only gains the attacker access to a single session, and not to an entire archive of cracked traffic; but if that particular session is considered valuable or interesting, and the DHE group used was 512 bits, the session's confidentiality is probably not going to resist a determined attacker for long.
Posted Nov 7, 2013 22:20 UTC (Thu)
by dkg (subscriber, #55359)
[Link]
NSS rejects a 503-bit DH group, though, probably because it is testing the number of bytes used to store P, and 504 "rounds up" to 512.
Posted Nov 8, 2013 11:52 UTC (Fri)
by Jonno (subscriber, #49613)
[Link]
That said, I think it makes sense to require 2048 bit DHE groups for the green bar (EV Certificates), as those are supposed to be more trustworthy than regular HTTPS sites, and has a graceful fallback (regular HTTPS with padlock icon but no green bar).
Posted Nov 7, 2013 21:17 UTC (Thu)
by Trou.fr (subscriber, #26289)
[Link]
It is also worth noting that while DHE is very interesting (it seems very plausible the NSA could compromise the private keys of the servers it is interested in), some (broken) softwares do not allow the user to configure the group used. Apache was only very recently patched to allow this (https://issues.apache.org/bugzilla/show_bug.cgi?id=49559 3 years after initial report).
It seems very plausible an attacker could mount an attack against hardcoded groups, particularly if the key size is small enough (1024 bits seems completely feasible for a state attacker) and the software widely used.
Posted Nov 7, 2013 21:20 UTC (Thu)
by Trou.fr (subscriber, #26289)
[Link]
It always uses the order configured on the server. Before Windows 2008 and Crypto-NG, no cipher suite allowed DHE with RSA and even after, ciphers suites with PFS are at the end.
A paranoid mind could see the hand of the NSA here :)
Posted Nov 7, 2013 9:19 UTC (Thu)
by istenrot (subscriber, #69564)
[Link] (2 responses)
Most Linux distros are forced to disable ECDHE cipher suites because of U.S. patent issues. Take a look at this discussion: https://bugzilla.redhat.com/show_bug.cgi?id=319901
Posted Nov 7, 2013 12:38 UTC (Thu)
by jyaworski (guest, #83240)
[Link] (1 responses)
> As of the following update revisions, the "ec", "ecdh", and "ecdsa" options have been re-enabled in the openssl package:
> openssl-1.0.1e-4.fc18.1
Posted Nov 7, 2013 13:41 UTC (Thu)
by cesarb (subscriber, #6266)
[Link]
Posted Nov 7, 2013 12:53 UTC (Thu)
by meuh (guest, #22042)
[Link] (1 responses)
Posted Nov 21, 2013 14:14 UTC (Thu)
by mirabilos (subscriber, #84359)
[Link]
For PFS, both sides must, independently of each other, generate good random nonces. Reusing one side’s half loses all secrecy.
TLS doesn’t protect the DH key exchange with the existing certificate(s) – the server usually has got an RSA key, the client sometimes has, yet these are used only for the auth phase.
I’d rather have a non-PFS session (maybe with an ephemeral key that lives, oh, say a day) first, in which the client send the server, and the server the client, some random bytes which the receiving side MAY add into their entropy pool, *then* they do DH kex, and only then the non-PFS session is changed to PFS.
Another option is to use a sign-only RSA certificate on the TLS server side. But I don’t think an off-the-shelf CA is going to issue one to me without major money, and I fear implementation problems because this is so rarely used – mostly due to the cost of having to generate an ephemeral RSA encryption key per session.
Really, the either-or in SSLv3/TLSv1 smells like the NSA already had its fingers in there.
Posted Nov 16, 2013 16:30 UTC (Sat)
by glaesera (guest, #91429)
[Link] (1 responses)
Posted Nov 16, 2013 21:12 UTC (Sat)
by dlang (guest, #313)
[Link]
I note that the article doesn't address a major ongoing concern with
the DHE ciphersuites, which is that there is no mechanism in TLS to
negotiate the DH group parameters; instead, the server selecting a ciphersuite
with DHE key exchange simply tells the client what DH group it will
use. As a result, a client may receive a trivially-crackable group. i've grossly misconfigured https://demo.cmrg.net/ to offer a 16-bit
DH group if you'd like to test your favorite TLS implementation -- OpenSSL currently fails open. Connections made to that server provide no confidentiality or message integrity guarantees.
issues with DHE group parameter selection (PFS is not yet a panacea)
issues with DHE group parameter selection (PFS is not yet a panacea)
> (Error code: ssl_error_weak_server_ephemeral_dh_key)
Yep. I'm glad that NSS doesn't fail open at 16-bit DH group :)
issues with DHE group parameter selection (PFS is not yet a panacea)
In addition to the aforementioned 16-bit DH group offered by https://demo.cmrg.net/, I've now configured https://demo.cmrg.net:4433/ to offer a 504-bit DH group. It looks to me like NSS will happily connect to it, with no indication to the user that their expectations of confidentiality are likely to be unmet for this session if an adversary is logging it and wants to bother finding the discrete log of either side's public key.
issues with DHE group parameter selection (PFS is not yet a panacea)
issues with DHE group parameter selection (PFS is not yet a panacea)
issues with DHE group parameter selection (PFS is not yet a panacea)
issues with DHE group parameter selection (PFS is not yet a panacea)
ECC patent issues
ECC patent issues
> openssl-1.0.1e-4.fc19.1
> openssl-1.0.1e-27.fc20
> openssl-1.0.1e-27.fc21
ECC patent issues
One cost which is sometime forgotten is entropy needed to generate all the ephemeral random keys.Cost
When enabling PFS, one need a good HWRNG or a fast CSPRNG.
See LCE: Don't play dice with random numbers article for example.
Entropy and DH kex protection
Let's talk about perfect forward secrecy
On Forward Secrecy it appeared to me, that the so called bit-rot has to be regarded. The longer spying-services keep the data on their harddisks, the more likely it gets, that connections cannot be decrypted correctly anymore, years later, because the data was affected by single rotting bits, which would make them unusable, wouldn't it ?
Then, as far as I know, PFS can be provided currently by Apache version 2.4 and later, which is in Debian-Jessie and was not backported yet to Wheezy.
Finally, it does not have very high priority to backport Apache probably, because when US-companies use it, the NSA will read encrypted data anyway in a man-in-the-middle fashion, when the data pass into or out from these companies' cloud-services, so in fact very good encryption only means, that the NSA will read your data exclusively, when storing them in the US, just others will be unable to decrypt the contents, but these 'locked-out' services can still try to do statistical analysis on your data and try to provide a sense of security that way.
I want to point you there again:
https://www.eff.org/https-everywhere
These FAQ were also helpful for me:
https://www.eff.org/https-everywhere/faq
They tell you, what ssl-encryption can protect you from in principle.
If I got it correctly, then the meta-data can still be recorded in spite of encryption, but not the contents of your online-connections.
Let's talk about perfect forward secrecy