23

I have been reading Bulletproof SSL and TLS

Diffie Hellman is a key exchange mechanism, in which each of server and client share secret i.e. gx and gy respectively with each other where g is generator of some group. They calculate secret S = (gy)x and (gx)y respectively. Note that an attacker in the middle cannot get the value of S from gx and gy, since discrete logarithm is a hard problem. But, an active attacker can masquerade and fool both server and client.

DHKE

Now in RSA_DH, the value which server sends to client i.e. gx is fixed and stored in certificate. So, the "ServerKeyExchange" message is not sent. Now, client sends its gy value in "ClientKeyExchange" message and this is encrypted with RSA public key cryptography algorithm whose certificate server has already sent in "Certificate" message.

In RSA_DHE, the "ServerKeyExchange" message takes place where server sends gx to the client.

TLS Handshake

Now my question is what is the difference between the two? Since the premaster secret is calculated from the value (gx)y, Therefore, even in RSA_DH, if the client sends different gy values in each session, then (gx)y value will be different. (I think even if he doesn't still my argument holds) Therefore it will achieve forward secrecy as in RSA_DHE. And the poor attacker won't be able to get premaster secret even after getting the value of gy by compromising the server private key. So, in both cases he won't be able to calculate premaster secret. So why Ephemeral one (RSA_DHE) is said to achieve forward secrecy and other one not?

Improve this question

2 Answers 2

Reset to default
24

Diffie-Hellman is an asymmetric algorithm, with a public key and a private key.

In a "DH_RSA" cipher suite, the server's "permanent" key pair is a DH key pair. The public key is in the server's certificate. That certificate, like any certificate, has been signed by a CA, and that CA uses a RSA key pair (that's what the 'RSA' means in "DH_RSA").

In a "DHE_RSA" cipher suite, the server's permanent key pair has type RSA; the RSA public key is in the server's certificate (the cipher suite says nothing about the type of key used by the issuing CA, but it is usually RSA as well). When a client connects, the server generates a transient DH key pair and sends the public key to the client as a ServerKeyExchange message; the server signs that message with its permanent RSA private key.

Forward secrecy is a property defined relatively to ulterior theft of server secrets. "DHE_RSA" cipher suites provide forward secrecy because the actual key exchange secret (the DH private key) is transient, thus not saved by the server -- if the server does not save that key on its disk, then it should be immune to ulterior theft. Conversely, "DH_RSA" implies that the DH private key is stored somewhere on the server's hard disk, and if that key is stolen, then past recorded session can be decrypted.

One must note that some servers will keep they DH key pairs around for some time, usually in RAM; they don't make a new DH key pair for each client. This behaviour has some performance benefits but slightly weakens the forward secrecy, by definition. This really depends on the model you use to define "ulterior theft": are you talking about retrieving an old hard disk in a dumpster, or a malware that inspect RAM contents?

Improve this answer
4
  • Hi, I was able to answer first part of my question, i.e. why there is no need to send any "ServerKeyExchange" message. But I was not able to understand why simple RSA_DH does not support forward secrecy. I have reframed the question. Also, In your answer you are telling RSA_DH is simply RSA, where server doesn't send its g^x value part of Diffie Hellman key exchange. Commented Apr 11, 2016 at 17:58
  • 2
    I am telling that DH_RSA is basically DH, not basically RSA. Commented Apr 11, 2016 at 18:26
  • Yeah just came to know that there are certificate for DH also, where g^x is the public key and private key is x. But, this is insecure and can be compromised by an active man in the middle attack. Commented Apr 11, 2016 at 18:42
  • 3
    It is a certificate. The point of the certificate is to prevent MitM. You may be confusing DH_RSA (DH public key in a certificate, signed by a CA) with DH_anon (no certificate at all, DH public key sent in an unsigned ServerKeyExchange message). Commented Apr 11, 2016 at 18:49
3

But I was not able to understand why simple RSA_DH does not support forward secrecy.

Lets say Alice is the client and Bob is the server and use the variable names from your diagram.

In non ephemeral dh b is part of the certificate which means B is a long term secret. Eve records the session including the value of a.

Some time later Eve gets hold of B, maybe she hacked the server, maybe she called her friends in law enforcement who forced the server admin to hand it over. Eve can then calculate aB and hence calculate the session secret and decrypt the session.

With ephemeral dh B is only a short term secret. So Eve's later compromise of the server is far less likely to reveal it.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.