3

In context SSL/TLS, reading up on various sites, I find forward secrecy in DH key exchange being linked to its ephemeral use i.e. DHE. I don't fully understand this link, where does following reasoning break?

If non-ephemeral use (plain DH) would not provide forward secrecy, and ephemerality refers to a new session key being made each time a new session is set up. Then the use of SSL/TLS Session IDs/Session Tickets would make DH-use non-ephemeral.

But how can the compromise of server public/private keys result in the compromise of an earlier established DH session key? I should presume that the nonces which were used are already discarded; and the storage associated to Session IDs/Session Tickets is not necessarily compromised if the server public/private keys are compromised?

otus
  • 32,462
  • 5
  • 75
  • 167
Eve Mallory
  • 31
  • 1

1 Answers1

4

Ephemerality does not refer to "a new session key being made each time a new session is set up", it refers to both parties' key pairs (and group elements) being freshly chosen. ​These Diffie-Hellman key pairs are should be ephemeral for forward secrecy; the session key is always ephemeral, even if static-static Diffie-Hellman is applied.

Any nonces are used as part of the session key calculation should be known at both sides. This means they have to be communicated in plain or they should be part of the key agreement algorithm. That means that the nonces are either known to the attacker or that they can be retrieved by reapplying the DH calculations (in the future, when the static DH private key is leaked). If ephemeral key pairs are used then DH cannot be reapplied because the private exponents are lost.

So the nonces may become available to an attacker for static-static and ephemeral-static Diffie-Hellman even when the sender and receiver have discarded the values long ago.

Note that there is a difference between the raw/textbook DH calculation and the DH scheme specified in e.g. NIST 800-56A: "Scheme Using No Ephemeral Key Pairs".

If you just apply the calculation then two static keys would result in a static key seed. The NIST scheme on the other hand includes a nonce send in plain so the resulting key seed will be ephemeral.

The answer assumes that the key seed is ephemeral.

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323