Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Transport Layer Security
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
===Forward secrecy=== {{Main|Forward secrecy}} Forward secrecy is a property of cryptographic systems which ensures that a session key derived from a set of public and private keys will not be compromised if one of the private keys is compromised in the future.<ref>{{cite journal|first1=Whitfield|last1=Diffie|last2=van Oorschot|first2=Paul C|last3=Wiener|first3=Michael J.|title=Authentication and Authenticated Key Exchanges|issue=2|journal=Designs, Codes and Cryptography|volume=2|pages=107–125|date=June 1992|doi=10.1007/BF00124891|url=http://citeseer.ist.psu.edu/diffie92authentication.html|access-date=2008-02-11|url-status=live|archive-url=https://web.archive.org/web/20080313081157/http://citeseer.ist.psu.edu/diffie92authentication.html|archive-date=2008-03-13|citeseerx=10.1.1.59.6682|s2cid=7356608}}</ref> Without forward secrecy, if the server's private key is compromised, not only will all future TLS-encrypted sessions using that server certificate be compromised, but also any past sessions that used it as well (provided that these past sessions were intercepted and stored at the time of transmission).<ref>{{Cite web|url=http://www1.ietf.org/mail-archive/web/tls/current/msg02134.html|archive-url=https://web.archive.org/web/20130922103746/http://www.ietf.org/mail-archive/web/tls/current/msg02134.html|url-status=dead|title=Discussion on the TLS mailing list in October 2007|archive-date=22 September 2013|access-date=20 February 2022}}</ref> An implementation of TLS can provide forward secrecy by requiring the use of ephemeral [[Diffie–Hellman key exchange]] to establish session keys, and some notable TLS implementations do so exclusively: e.g., [[Gmail]] and other Google HTTPS services that use [[OpenSSL]].<ref>{{cite web|url=http://googleonlinesecurity.blogspot.com.au/2011/11/protecting-data-for-long-term-with.html|title=Protecting data for the long term with forward secrecy|access-date=2012-11-05|url-status=live|archive-url=https://web.archive.org/web/20130506184654/http://googleonlinesecurity.blogspot.com.au/2011/11/protecting-data-for-long-term-with.html|archive-date=2013-05-06}}</ref> However, many clients and servers supporting TLS (including browsers and web servers) are not configured to implement such restrictions.<ref>{{cite web|url=https://vincent.bernat.ch/en/blog/2011-ssl-perfect-forward-secrecy|title=SSL/TLS & Perfect Forward Secrecy|first=Vincent|last=Bernat|date=28 November 2011|access-date=2012-11-05|url-status=live|archive-url=https://web.archive.org/web/20120827064047/https://vincent.bernat.ch/en/blog/2011-ssl-perfect-forward-secrecy|archive-date=2012-08-27}}</ref><ref>{{cite web|title=SSL Labs: Deploying Forward Secrecy|url=https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy|publisher=Qualys.com|access-date=2013-07-10|date=2013-06-25|url-status=live|archive-url=https://web.archive.org/web/20130626193314/https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy|archive-date=2013-06-26}}</ref> In practice, unless a web service uses Diffie–Hellman key exchange to implement forward secrecy, all of the encrypted web traffic to and from that service can be decrypted by a third party if it obtains the server's master (private) key; e.g., by means of a court order.<ref>{{cite web|last=Ristic|first=Ivan|title=SSL Labs: Deploying Forward Secrecy|url=https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy|publisher=Qualsys|access-date=2013-08-31|date=2013-08-05|url-status=live|archive-url=https://web.archive.org/web/20130920150259/https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy|archive-date=2013-09-20}}</ref> Even where Diffie–Hellman key exchange is implemented, server-side session management mechanisms can impact forward secrecy. The use of [[#Resumed TLS handshake|TLS session tickets]] (a TLS extension) causes the session to be protected by AES128-CBC-SHA256 regardless of any other negotiated TLS parameters, including forward secrecy ciphersuites, and the long-lived TLS session ticket keys defeat the attempt to implement forward secrecy.<ref name="botchingpfs"/><ref name="ticketsecwp"/><ref name="ticketsecslides"/> Stanford University research in 2014 also found that of 473,802 TLS servers surveyed, 82.9% of the servers deploying ephemeral Diffie–Hellman (DHE) key exchange to support forward secrecy were using weak Diffie–Hellman parameters. These weak parameter choices could potentially compromise the effectiveness of the forward secrecy that the servers sought to provide.<ref>{{cite journal|author1=L.S. Huang|author2=S. Adhikarla|author3=D. Boneh|author4=C. Jackson|title=An Experimental Study of TLS Forward Secrecy Deployments|journal=IEEE Internet Computing|date=2014|volume=18|issue=6|pages=43–51|url=http://crypto.stanford.edu/~dabo/pubs/abstracts/websec_ecc.html|access-date=16 October 2015|url-status=live|archive-url=https://web.archive.org/web/20150920011317/http://crypto.stanford.edu/~dabo/pubs/abstracts/websec_ecc.html|archive-date=20 September 2015|doi=10.1109/MIC.2014.86|citeseerx=10.1.1.663.4653|s2cid=11264303}}</ref> Since late 2011, Google has provided forward secrecy with TLS by default to users of its [[Gmail]] service, along with [[Google Docs]] and encrypted search, among other services.<ref name="googleLongTerm">{{cite web|url=http://googleonlinesecurity.blogspot.com.au/2011/11/protecting-data-for-long-term-with.html|title=Protecting data for the long term with forward secrecy|access-date=2014-03-07|url-status=live|archive-url=https://web.archive.org/web/20140212214518/http://googleonlinesecurity.blogspot.com.au/2011/11/protecting-data-for-long-term-with.html|archive-date=2014-02-12}}</ref> Since November 2013, [[Twitter]] has provided forward secrecy with TLS to users of its service.<ref>{{cite web|last=Hoffman-Andrews|first=Jacob|title=Forward Secrecy at Twitter|url=https://blog.twitter.com/2013/forward-secrecy-at-twitter-0|publisher=Twitter|access-date=2014-03-07|url-status=live|archive-url=https://web.archive.org/web/20140216041202/https://blog.twitter.com/2013/forward-secrecy-at-twitter-0|archive-date=2014-02-16}}</ref> {{As of|2019|08}}, about 80% of TLS-enabled websites are configured to use cipher suites that provide forward secrecy to most web browsers.<ref name="trustworthy_ssl_pulse"/>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)