On Tue, Sep 10, 2013 at 12:56:16PM -0700, Bill Stewart wrote:

> I thought the normal operating mode for PFS is that there's an
> initial session key exchange (typically RSA) and authentication,
> which is used to set up an encrypted session, and within that
> session there's a DH or ECDH key exchange to set up an ephemeral
> session key, and then that session key is used for the rest of the
> session.

This is not the case in TLS.  The EDH or EECDH key exchange is
performed in the clear.  The server EDH parameters are signed with
the server's private key.


In TLS with EDH (aka PFS) breaking the public key algorithm of the
server certificate enables active attackers to impersonate the
server (including MITM attacks).  Breaking the Diffie-Hellman or
EC Diffie-Hellman algorithm used allows a passive attacker to
recover the session keys (break must be repeated for each target
session), this holds even if the certificate public-key algorithm
remains secure.

The cryptography mailing list

Reply via email to