Perfect Forward Secrecy in TLS

Perfect Forward Secrecy is a property of an encryption system that prevents an attacker from decrypting past recorded sessions even after the private key of the server is leaked.

Problem TLS1.2

Attacker is listening to the conversation and he records all the encrypted GET request messages and saves it though he don't have private key to decrypt.

Say after few months later server had a buffer overflow problem. This allows attacker to ask for more data to sever. As private key is cached and while returning data to attacker, it might contain private key as well.

Now attacker has private key and he can decrypt and will have symmetric key. With symmetric key he can decrypt all the messages and read the contents.

To solve this problem we use PFS. Diffie Hellman is always PFS. This is used just for key exchange not for encryption.

In case of TLS1.3 symmetric key will be ephemeral. It will be used only for that particular session.

In this case even if private key is leaked nobody can read the message.

Note: In case of TLS1.2 there is 2 round of message exchange but in case of TLS1.3 there is single round of message exchange that is advantage of TLS1.3

Ciphers:

###Weak and insecure ciphers:

TLS_RSA_WITH_RC4_128_SHA 

RSA: key exchange algorithm

RC4: symmetric key algorithm

SHA: digital signature algorithm used to sign digital cert.

TLS_DHE_RSA_WITH_AES_256_CBC_SHA 

DHE: Deffe hellmen ephemeral

DH used with RSA is weak. Anything with RSA is not PFS

TLS_RSA_WITH_AES_128_CBC_SHA

##Strong ciphers:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

ECDHE: ellliptic curve Deffe Hellmen Ephemeral

Anything with ECDHE is strong

TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256

TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

To check what all ciphers are used/supported by particular web server use:

https://www.ssllabs.com/ssltest/analyze.html