GIBSON RESEARCH CORPORATION http://www.GRC.com/
SERIES: Security Now!
EPISODE: #412
DATE: July 10, 2013
TITLE: SSL & Perfect Forward Secrecy
SPEAKERS: Steve Gibson & Leo Laporte
SOURCE FILE: http://media.GRC.com/sn/SN-412.mp3
FILE ARCHIVE: GRC | Security Now! Episode Archive
So the problem, though, is that, for a long time we were comfortable, except when we really looked closely at the architecture of SSL because there is a - I don’t want to call it a “fault.” But it is a weakness that has always been present in the SSL that we’ve always been using.
And that is as follows: The private key, as we know when we connect to a remote server securely, the private key is something that only the server has. And the public key is signed by a certificate authority to authenticate that the public key belongs to the entity we want to connect to. Only the entity we want to connect to who has the matching private key that they never disclose is able to decrypt what is encrypted with the public key. So when an SSL connection is established - and anybody who wants more depth can go back to the podcast where we did SSL [SN-195]. We have an SSL podcast which takes this thing apart step by step. I’m going to go, going to take the high points that are relevant here because we have covered it in full detail in the past.
The user, who is the client, wants to connect to the server. They generate a random number and the list of cipher suites that they support. And I’ll explain exactly what that is in a second. They send that to the server. The server has its own list of cipher suites that it supports. And so essentially what the server has received from the user is I know all of these different crypto technologies, and I’ve listed them in the order I think I would like you to choose them, hopefully strongest to least strong. The server looks at that list, compares it with its list. It has its own list of things it knows.
And so the idea is that it chooses, the server chooses the strongest cipher that appears on both lists, is the best way to say that. And it generates a random number, which it sends back to the client. That is, so it sends the cipher it chose, the random number it chose, and its certificate. This is the certificate that it got signed by the authority, asserting to its identity and containing its public key.
So now the client says, okay, I know how to communicate cryptographically in a way that we both understand because from its big list one was chosen by the server and sent back. The client knows its random number and the server’s random number. So, which form part of the handshake. And this is where I’m not going to go into great detail because I did before. It generates another random number, completely separate from that, and it mixes all this together. And it encrypts that with the server’s public key and sends that back to the server.
Now, that’s the key. Because this certificate has been used for authentication. And the certificate containing the public key has also been used for encryption. That is, what the client encrypts under the server’s public key is the final agreed key that they’re going to be using for their conversation. This is the symmetric key, much shorter, 128 bits, maybe 256, typically not much more than that because that’s still plenty, which is encrypted with the server’s public key sent back to the server, under the theory that only the server can decrypt it.
Now, what’s the problem? The problem is, with this particular approach, the same key, that is, essentially the server’s private key, is protecting both the authentication, that is, it’s asserting its identity, and the encryption because the data exchanged is protected by encrypting with a public key which can be decrypted only with the server’s private key. And so that’s the problem.
If the threat model is anyone storing your encrypted traffic, if there’s somebody on the line, as we know there is, I mean, we don’t know that there isn’t somebody inside the organization. I contend, as I did at the beginning of the podcast, and we’ve discussed it before, well, we don’t know. We may never know. But we do absolutely know they’re outside tapping the Internet, tapping the fiber optics all over the place and sucking in encrypted traffic.
So what does the tapping person get? The person who is tapping the line gets all of the communications passing in both directions. And if, as in my theory, they’re right down at the spigot feeding Google, then they’re going to see the client traffic going in, and the server traffic coming back, and be able to extract the conversation, as it’s called, this SSL connection between TCP endpoints at the client and the server, and log that as its own thread. That is, here is a piece of communication which we cannot today decipher. And we believe that it is still extremely difficult for them to decrypt it.
Well, all they have to do is compel the release of the private key. That is, if they are recording all of the traffic, then the NSA can say we have a national security need to access traffic in the past. We need your private key.
LEO: Yeah. They can do that with a National Security Letter, and you’d never even know.
STEVE: Correct. And if they have the private key, then that - because that is protecting both authentication and encryption. They can decrypt, just as the server could, that final packet containing the agreed-upon keying material for this symmetric cipher, just as the server does, and that then gives them access to the entire stream, just as both server and client had.
Now, the creepy thought I had was, imagine this: Imagine that the NSA says, okay. We don’t want to be too onerous. We understand that it represents a problem for you to give us your private key. But, you know, you’re going to be expiring those every two or three years.
LEO: Yeah.
STEVE: So we’d like to have it after you’re done with it.
LEO: Oh. Because they’re storing it all.
STEVE: Yes.
LEO: No problem.
STEVE: So all they have to do is say, uh, don’t delete that. Just we want it when you’re done. After you’ve replaced it with your new keys, we want the old ones.
LEO: There might be some precedent there because they’ve already said, and I think the law agrees, that after six months nobody really owns that data. It’s old data. So what’s wrong with having the key to it?
STEVE: Yeah. And, I mean, what’s the argument? It’s like, well, they’re never saying they want the key we’re using. They’re just saying give us your old keys. We’d like to have those. And, by the way, that’s patriotic. Okay. So it just occurred to me as I was putting this together, it’s like, whoa, you know? They don’t have to demand the current one. I mean, maybe if there’s something, an absolute clear and present danger, oh my god, we’re absolutely sure a terrorist attack is imminent, we have to have this. Well, who’s going to say no? But it seems to me that it’s entirely feasible that they just say, give us your keys when you’re done.
LEO: Just the old ones. The old ones.
STEVE: You’re going to be getting rid of them anyway. Every two or three years you’re…
[Talking simultaneously]
STEVE: Yeah, you keep the new ones. Don’t worry. We’ll be keeping all the new traffic for when you expire those keys.
LEO: Yeah.
STEVE: And so, yeah. Very…
LEO: I’m sure that’s happening. That’s good, that’s…
STEVE: Doesn’t it make sense?
LEO: Sure.
STEVE: It absolutely makes sense. That’s why I said I’m sure I’m not the first person to think about this, so I can mention it. So how do we…