Deploying Forward Secrecy
Update (5 August 2013): In my follow-up post, I discuss how to configure Apache, Nginx, and OpenSSL to support Forward Secrecy.
With revelations about mass surveillance in the news everywhere, an obscure feature of SSL/TLS called Forward Secrecy has suddenly become very interesting. So what is it, and why is it so interesting now?
Session keys generation and exchange
Every SSL connection begins with a handshake, during which the parties communicate their capabilities to the other side, perform authentication, and agree on their session keys, in the process called key exchange. The session keys are used for a limited time and deleted afterwards. The goal of the key exchange phase is to enable the two parties to negotiate the keys securely, in other words, to prevent anyone else from learning these keys.
Several key exchange mechanisms exist, but, at the moment, by far the most commonly used one is based on RSA, where the server's private key is used to protect the session keys. This is an efficient key exchange approach, but it has an important side-effect: anyone with access to a copy of the server's private key can also uncover the session keys and thus decrypt everything.
For some, the side-effects are desirable. Many network security devices, for example, can be configured to decrypt communication (and inspect traffic) when given servers' private keys. Without this capability, passive IDS/IPS and WAF devices have no visibility into the traffic and thus provide no protection.
In the context of mass surveillance, however, the RSA key exchange is a serious liability. Your adversaries might not have your private key today, but what they can do now is record all your encrypted traffic. Eventually, they might obtain the key in one way or another (e.g., by bribing someone, obtaining a warrant, or by breaking the key after sufficient technology advances) and, at that time, they will be able to go back in time to decrypt everything.
Diffie–Hellman key exchange
An alternative to RSA-based key exchange is to use the ephemeral Diffie-Hellman algorithm, which is slower, but generates session keys in such a way that only the two parties involved in the communication can obtain them. No one else can, even if they have access to the server's private key.1
After the session is complete, and both parties destroy the session keys, the only way to decrypt the communication is to break the session keys themselves. This protocol feature is known as Forward Secrecy.2
Now, breaking strong session keys is clearly much more difficult than obtaining servers' private keys (especially if you can get them via a warrant). Furthermore, in order to decrypt all communication, now you can no longer compromise just one key (the server's), but you have to compromise the session keys belonging to every individual communication session.
SSL and Forward Secrecy
SSL supports Forward Secrecy using two algorithms, the standard Diffie-Hellman (DHE) and the adapted version for use with Elliptic Curve cryptography (ECDHE). Why isn't everyone using them, then?
Assuming the interest and knowledge to deploy Forward Secrecy is there, two obstacles remain:
- DHE is significantly slower. For this reason, web site operators tend to disable all DHE suites in order to achieve better performance. In recent years, we've seen DHE fall out of fashion. Internet Explorer 9 and 10, for example, support DHE only in combination with obsolete DSA keys.
- ECDHE too is slower, but not as much as DHE. (Vincent Bernat published a blog post about the impact of ECDHE on performance, but be warned that the situation might have changed since 2011. I am planning to do my own tests soon.) However, ECDHE algorithms are relatively new and not as widely supported. For example, they were added to OpenSSL only fairly recently, in the 1.x releases.
If you're willing to support both ECDHE and DHE, then you will probably be able to support Forward Secrecy with virtually all clients. But ECDHE alone is supported by all major modern browsers, which means that even with only ECDHE you might be able to cover a very large chunk of your user base. The decision what to do is entirely up to you. Google, for example, do not support any DHE suites on their main web sites.
Configuring Forward Secrecy
Enabling Forward Secrecy can be done in two steps:
- Configure your server to actively select the most desirable suite from the list offered by SSL clients.
- Place ECDHE and DHE suites at the top of your list. (The order is important; because ECDHE suites are faster, you want to use them whenever clients supports them.)
Knowing which suites to enable and move to the top can be tricky, because not all browsers (devices) support all Forward Secrecy suites. At this point you may want to look for inspiration from those who are already supporting Forward Secrecy, for example Google.
In the nutshell, these are some of the suites you might want to enable3 and push (close) to the top:
To make this process easier, I've added a new feature to the SSL Labs test; this feature, tentatively called handshake simulation, understands the capabilities of major browsers and determines which suite would be negotiated with each. As a result, it also tells you if the negotiated suite supports Forward Secrecy.
Here's what it looks like in action:
When you get it right, you will be rewarded with a strong forward secrecy indicator in the summary section at the top:
Alternative attack vectors
Although the use of Diffie-Hellman key exchange eliminates the main attack vector, there are other actions powerful adversaries could take. For example, they could convince the server operator to simply record all session keys.
Server-side session management mechanisms could also impact Forward Secrecy. For performance reasons, session keys might be kept for many hours after the conversation had been terminated.
In addition, there is an alternative session management mechanism called session tickets, which uses separate encryption keys that are rarely rotated (possibly never in extreme cases). Unless you understand your session tickets implementation very well, this feature is best disabled to ensure it does not compromise Forward Secrecy.
(1) Someone with access to the server's private key can, of course, perform an active man in the middle attack and impersonate the server. However, they can do that only at the time the communication is taking place. It is not possible to pile up mountains of encrypted traffic to decrypt later.
(2) It's also sometimes called Perfect Forward Secrecy (PFS), but, because it is possible to uncover the communication by breaking the session keys, it's clearly not perfect.
(3) I am assuming the most common case, that you have an RSA key (virtually everyone does). There's a number of ECDHE suites that need to enabled if you're using an ECDSA key. I am also ignoring GCM suites for the time being, because they are not very widely supported. I am also ignoring any potential desire to mitigate BEAST by favouring RC4, which might be impossible to do across all client devices.