Confirmed users
529
edits
Security/Server Side TLS: Difference between revisions
→Forward Secrecy
| Line 142: | Line 142: | ||
= Forward Secrecy = | = Forward Secrecy = | ||
The concept of forward secrecy is simple: client and server negotiate a key that never hits the wire, and is destroyed at the end of the session. The RSA private from the server is used to sign a Diffie-Hellman key exchange between the client and the server. The pre-master key obtained from the Diffie-Hellman handshake is then used for encryption. Since the pre-master key is specific to a connection between a client and a server, and used only for a limited amount of time, it is called Ephemeral. | |||
With Forward Secrecy, if an attacker gets a hold of the server's private key, it will not be able to decrypt past communications. The private key was only used to sign the DH handshake, which does not reveal the pre-master key. Diffie-Hellman ensures that the pre-master keys never leave the client and the server, and cannot be intercepted by a man in the middle. | With Forward Secrecy, if an attacker gets a hold of the server's private key, it will not be able to decrypt past communications. The private key was only used to sign the DH handshake, which does not reveal the pre-master key. Diffie-Hellman ensures that the pre-master keys never leave the client and the server, and cannot be intercepted by a man in the middle. | ||