On Tue, Sep 10, 2013 at 12:56:16PM -0700, Bill Stewart wrote: > I thought the normal operating mode for PFS is that there's an > initial session key exchange (typically RSA) and authentication, > which is used to set up an encrypted session, and within that > session there's a DH or ECDH key exchange to set up an ephemeral > session key, and then that session key is used for the rest of the > session.
This is not the case in TLS. The EDH or EECDH key exchange is performed in the clear. The server EDH parameters are signed with the server's private key. https://tools.ietf.org/html/rfc2246#section-7.4.3 In TLS with EDH (aka PFS) breaking the public key algorithm of the server certificate enables active attackers to impersonate the server (including MITM attacks). Breaking the Diffie-Hellman or EC Diffie-Hellman algorithm used allows a passive attacker to recover the session keys (break must be repeated for each target session), this holds even if the certificate public-key algorithm remains secure. -- Viktor. _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography